Wednesday, July 13, 2011

Solar FTP 2.1.1 PASV Exploit

Let the fuzzing continue.... I found a remote exploit bug in Solar FTP that used the PASV command. Appending a string of about 2127 bytes to the PASV command causes the application to crash. Under certain circumstances remote code execution is possible as well. I worked again with my comrad, Gerardo Galvan and we had it published yesterday

The interesting part about this exploit was the JMP EAX we used took us to some junk before our actual buffer. Fortunately, executing the instructions we landed on did not cause the execution flow to change directions.

We left some work for a future researcher to figure out why the behavior changes when the IP changes. This was a similar problem we had with Golden FTP but it seemed the Solar problem was much more confusing. I couldn't get consistent behavior by changing IP addresses. Hopefully someone can figure this out in the future!

No comments: