A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at http://milw0rm.com/exploits/9541,
A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a ”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.
After a bit of tinkering around, we saw that the PASSWORD field would be most suitable to shove a larger payload (bindshell). A quick replacement of the original “user add” shellcode with a secondary encoded egghunter – and a bind shell was presented to us! I wonder how long this 0day has been around…As Rel1k would say to logan_WHD…”it’s OK, it’s OK…”.