Mubix has also made a quick nmap script to search out this vulnerability.
More info on that here
A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at http://milw0rm.com/exploits/9541, A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited [...]
Doesnt work under w2003 server patched.
for german windows 2k prof you can use the following JMP ESP:
Code:$retaddr = "\x7B\x30\xE3\x77"; # JMP ESP german win2k platforms (fully patched)
More details including screenshot can be found here: http://www.s3cur1ty.de/iis-ftp-exploit-german-win2k
After a while I'm back... waiting eagerly for the final release of BT4...
I've tried to replicate this in a win2k Server SP0 box, in a VMware environment with no luck… could it be that the return address for JMP ESP is different in server version??? Or could it be related to the VMware environment? Any thoughts??