ftpd glob overflow exploit v1.67 Vulnerability exploited: CAN-2001-0247 - BID-2548 Category: Exploits/Remote Exploits a buffer overflow in the implementation of the glob() function in BSD ftp servers. By exploiting this vulnerability, the return address in the stack can be arbitrarily altered, allowing the auditor to gain control of the target host.After successful exploitation a level0 agent will be deployed. This level0 agent will inherit the user identity and capabilities of the abused service, usually those of the user used to login to the FTP server (for example, ftp). However, the UID (as opposite to the EUID) of the level0 agent will be that of the super user in most cases (usually 0), and it can be changed by using the setuid module (see "setuid").When an anonymous user is used, or if the server is configured to do this for other users, the deployed level0 agent will be running inside a chroot jail. This situation does not prevent the use of the level0, and after setting the EUID to that of the super user, the chroot breaker module (see "chroot breaker") can be used to escape the chroot jail.As a side effect of this exploit execution, two new directories will be created on the target host, namely 'A' and 'AAAAAAAAA...' inside the former. They can be deleted after the module finishes execution. Supported Systems: OpenBSD 2.7 (i386) OpenBSD 2.8 (i386) This module is included in the latest version of CORE IMPACT, the first automated comprehensive penetration testing product for accurately identifying information security risks. Click here to learn more about the product.