FTPShell Server 4.3 (licence key) Remote Buffer Overflow PoC

ID ZSL-2009-4903
Type zeroscience
Reporter Gjoko Krstic
Modified 2009-01-22T00:00:00


Title: FTPShell Server 4.3 (licence key) Remote Buffer Overflow PoC
Advisory ID: ZSL-2009-4903
Type: Local/Remote
Impact: System Access, DoS
Risk: (2/5)
Release Date: 22.01.2009


FTPShell server is a windows FTP service that enables remote file downloads and uploads. It supports regular and secure FTP based on both SSL/TLS and SSH2. It is also extremely easy to configure and use.


FTPShell Server 4.3 suffers from buffer overflow vulnerability that can be exploited remotely or localy. It fails to perform adequate boundry condition of the input .key file, allowing us to overwrite the EAX and EDX registers. When trying to install licence with less than 8000 bytes we get a message: "It appears that your key file is corrupt or invalid.", but when installing a licence with 8000 bytes we get a message: "Your licence key has been succesfully loaded. Please restart the program."

Note: When you restart the program, it will always crash untill you repair it or reinstall it.


(1178.1d4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=00b159c0 ecx=00b159c0 edx=41414141 esi=00b1c630 edi=00000005 eip=004039a0 esp=0012f3bc ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ftpshelldscp+0x39a0: 004039a0 ff5210 call dword ptr [edx+10h] ds:0023:41414151=????????


Codeorigin, LLC - <http://www.ftpshell.com>

Affected Version


Tested On

Microsoft Windows XP Professional SP2 (English)

Vendor Status





Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>


[1] <http://www.milw0rm.com/exploits/7852>
[2] <http://xforce.iss.net/xforce/xfdb/48174>
[3] <http://www.securityfocus.com/bid/33403>
[4] <http://www.packetstormsecurity.org/filedesc/ftpshell-overflow.txt.html>
[5] http://www.hackzone.ru/exploit/view/id/4344
[6] http://secunia.com/advisories/33597
[7] <http://securityreason.com/exploitalert/5584>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0349>
[9] <http://osvdb.org/51510>
[10] <http://www.itsec.gov.cn//aqld/ldtb/3952.htm>
[11] <http://www.f-secure.com/vulnerabilities/en/SA200900514>
[12] <http://en.securitylab.ru/poc/366844.php>
[12] <http://www.hacker.com.cn/news/view.asp?id=2480>
[13] <http://www.vfocus.net/art/20090123/4522.html>
[14] <http://it.com.mk/index.php/Gjoko-Krstikj/Sigurnost/Slabost-kaj-FTPShell-Server-4.5-BoF>


[22.01.2009] - Initial release
[27.01.2009] - Added reference [14]


Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
body {
	background-color: #000;
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
a:link {
	color: #008FEF;
	text-decoration: none;
a:visited {
	color: #008FEF;
	text-decoration: none;
a:hover {
	text-decoration: underline;
	color: #666;
a:active {
	text-decoration: none;
&lt;body bgcolor=black&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;