FreeFloat FTP Server Buffer Overflow Vulnerability in PWD Command Handler

A critical buffer overflow vulnerability has been identified in FreeFloat FTP Server version 1.0. This issue arises in the PWD Command Handler, where an unknown functionality can be manipulated to cause a buffer overflow. The vulnerability can be exploited remotely, leading to potential arbitrary code execution.

Impact

Exploitation of this vulnerability allows for a buffer overflow condition, which can be used to execute arbitrary code on the affected system. In this case, the exploitation was demonstrated by obtaining a reverse shell on the target machine, with the same privileges as the FTP server process.

Reproduction

The vulnerability can be reproduced by sending an excessive amount of data through the 'PWD' command, which causes the application to crash, indicating a buffer overflow. After confirming the buffer overflow, the exploitation involves calculating the offset needed to overwrite the Extended Instruction Pointer (EIP) and redirect execution to a payload. This can be done using tools from the Metasploit Framework, such as 'msf-pattern_create' and 'msf-pattern_offset'. Once the offset is determined, a reliable 'JMP ESP' instruction can be found using the Mona plugin for Immunity Debugger. The payload, which can be generated with 'msfvenom', is then crafted by combining the offset, the EIP overwrite, and the shellcode, before being sent to the server via the 'PWD' command.