module
EasyFTP Server CWD Command Stack Buffer Overflow
| Disclosed | Created |
|---|---|
| Feb 16, 2010 | May 30, 2018 |
Disclosed
Feb 16, 2010
Created
May 30, 2018
Description
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which
leads to a stack based buffer overflow. EasyFTP allows anonymous access by
default; valid credentials are typically unnecessary to exploit this vulnerability.
After version 1.7.0.12, this package was renamed "UplusFtp".
This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.
This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by
'fixing' the return address post-exploitation. See references for more information.
and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which
leads to a stack based buffer overflow. EasyFTP allows anonymous access by
default; valid credentials are typically unnecessary to exploit this vulnerability.
After version 1.7.0.12, this package was renamed "UplusFtp".
This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.
This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by
'fixing' the return address post-exploitation. See references for more information.
Authors
Paul Makowski my.hndl@gmail.com
jduck jduck@metasploit.com
jduck jduck@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.