TABLE OF CONTENTS SlimFTPd is a fully functional standards-compliant FTP server implementation with an advanced virtual file system. A classic stack overflow was identified in the SlimFTPd server prior to version 3.16, which can be exploited to execute arbitrary code with privileges of the user who is running the server. A valid logon and the ability to list and write are required to exploit this vulnerability.
The vulnerability is due to a failure in the application to perform proper boundary checks when concatenating string for the LIST, DELE, and RNFR commands. The LIST, DELE, and RNFR commands build a string by concatenating the current directory with the requested directory or file. The buffer for that string of current directory and requested directory can occupy up to 512 bytes. An overly long requested directory or filename could cause the SlimFTPd server to crash and overwrite EIP.
In this case study, we will use the LIST command to trigger the vulnerability. By using a sample template module from the Metasploit Framework, we wrote a simple module to make an FTP connection and crash the SlimFTPd server. The following is the example module:
<span class="inlinemediaobject"><img alt="Image from book"> border="0"> height="45"> id="IMG_13"> src="https://images.books24x7.com/bookimages/id_14080/fig45_01.jpg"> title=""> width="63"></span><b class="bold">1</b> sub Exploit {<b class="bold">2</b> my $self = shift;<b class="bold">3</b> ...
