module
ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
| Disclosed | Created |
|---|---|
| 11/26/2006 | 05/30/2018 |
Disclosed
11/26/2006
Created
05/30/2018
Description
This module exploits a stack-based buffer overflow in versions 1.2 through
1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function
within the "src/support.c" file.
The off-by-one heap overflow bug in the ProFTPD sreplace function has been
discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit
this off-by-one bug via MKD command, but failed. We did not work on this bug
since then.
Actually, there are exists at least two bugs in sreplace function, one is the
mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow
via 'sstrncpy(dst,src,negative argument)'.
We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable
version, but the version 1.3.0rc3 introduced some interesting changes, among them:
1. another (integer) overflow in sreplace!
2. now it is possible to reach sreplace stack-based buffer overflow bug via
the "pr_display_file" function!
3. stupid '.message' file display bug
So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
To reach the bug, you need to upload a specially created .message file to a
writeable directory, then do "CWD " to trigger the invocation
of sreplace function.
Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'
file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.
The exploit is a part of VulnDisco Pack since Dec 2005.
1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function
within the "src/support.c" file.
The off-by-one heap overflow bug in the ProFTPD sreplace function has been
discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit
this off-by-one bug via MKD command, but failed. We did not work on this bug
since then.
Actually, there are exists at least two bugs in sreplace function, one is the
mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow
via 'sstrncpy(dst,src,negative argument)'.
We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable
version, but the version 1.3.0rc3 introduced some interesting changes, among them:
1. another (integer) overflow in sreplace!
2. now it is possible to reach sreplace stack-based buffer overflow bug via
the "pr_display_file" function!
3. stupid '.message' file display bug
So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
To reach the bug, you need to upload a specially created .message file to a
writeable directory, then do "CWD " to trigger the invocation
of sreplace function.
Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'
file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.
The exploit is a part of VulnDisco Pack since Dec 2005.
Authors
Evgeny Legerov jduck
Platform
Linux
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/ftp/proftp_sreplace
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.