module
Vermillion FTP Daemon PORT Command Memory Corruption
| Disclosed | Created |
|---|---|
| Sep 23, 2009 | May 30, 2018 |
Disclosed
Sep 23, 2009
Created
May 30, 2018
Description
This module exploits an out-of-bounds array access in the Arcane Software
Vermillion FTP server. By sending a specially crafted FTP PORT command,
an attacker can corrupt stack memory and execute arbitrary code.
This particular issue is caused by processing data bound by attacker
controlled input while writing into a 4 byte stack buffer. Unfortunately,
the writing that occurs is not a simple byte copy.
Processing is done using a source ptr (p) and a destination pointer (q).
The vulnerable function walks the input string and continues while the
source byte is non-null. If a comma is encountered, the function increments
the destination pointer. If an ascii digit [0-9] is encountered, the
following occurs:
*q = (*q * 10) + (*p - '0');
All other input characters are ignored in this loop.
As a consequence, an attacker must craft input such that modifications
to the current values on the stack result in usable values. In this exploit,
the low two bytes of the return address are adjusted to point at the
location of a 'call edi' instruction within the binary. This was chosen
since 'edi' points at the source buffer when the function returns.
NOTE: This server can be installed as a service using "vftpd.exe install".
If so, the service does not restart automatically, giving an attacker only
one attempt.
Vermillion FTP server. By sending a specially crafted FTP PORT command,
an attacker can corrupt stack memory and execute arbitrary code.
This particular issue is caused by processing data bound by attacker
controlled input while writing into a 4 byte stack buffer. Unfortunately,
the writing that occurs is not a simple byte copy.
Processing is done using a source ptr (p) and a destination pointer (q).
The vulnerable function walks the input string and continues while the
source byte is non-null. If a comma is encountered, the function increments
the destination pointer. If an ascii digit [0-9] is encountered, the
following occurs:
*q = (*q * 10) + (*p - '0');
All other input characters are ignored in this loop.
As a consequence, an attacker must craft input such that modifications
to the current values on the stack result in usable values. In this exploit,
the low two bytes of the return address are adjusted to point at the
location of a 'call edi' instruction within the binary. This was chosen
since 'edi' points at the source buffer when the function returns.
NOTE: This server can be installed as a service using "vftpd.exe install".
If so, the service does not restart automatically, giving an attacker only
one attempt.
Author
jduck jduck@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.