This module exploits a stack buffer overflow in Xlink FTP Server that comes bundled with Omni-NFS Enterprise 5.2. When an overly long FTP request is sent to the server, arbitrary code may be executed.
This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05.
This module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
This is an exploit for the Serv-U's MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution.
By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install.
This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined.
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed 'UplusFtp'. This exploit utilizes a small piece of code that I've referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered through an excessively long PASV message.
This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message.
This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command.
Services By CQR