Monday, September 7, 2009

Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at,

A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a ”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.

After a bit of tinkering around, we saw that the PASSWORD field would be most suitable to shove a larger payload (bindshell). A quick replacement of the original “user add” shellcode with a secondary encoded egghunter – and a bind shell was presented to us! I wonder how long this 0day has been around…As Rel1k would say to logan_WHD…”it’s OK, it’s OK…”.

The exploit can be downloaded from BackTrack's exploit archive. To entertain the masses, they also made “Microsoft IIS 5.0 FTP 0 Day – The movie

No comments:

Post a Comment