so... what fuzzer that you didnt code did you use to find these amazing vulns?
Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan <[EMAIL PROTECTED]> wrote: > > Microsoft FTP Client Multiple Bufferoverflow > Vulnerability > > ##################################################################### > > XDisclose Advisory : XD100096 > Vulnerability Discovered: November 20th 2007 > Advisory Reported : November 28th 2007 > Credit : Rajesh Sethumadhavan > > Class : Buffer Overflow > Denial Of Service > Solution Status : Unpatched > Vendor : Microsoft Corporation > Affected applications : Microsoft FTP Client > Affected Platform : Windows 2000 server > Windows 2000 Professional > Windows XP > (Other Versions may be also effected) > > ##################################################################### > > > Overview: > Bufferoverflow vulnerability is discovered in > microsoft ftp client. Attackers can crash the ftp > client of the victim user by tricking the user. > > > Description: > A remote attacker can craft packet with payload in the > "mget", "ls", "dir", "username" and "password" > commands as demonstrated below. When victim execute > POC or specially crafted packets, ftp client will > crash possible arbitrary code execution in contest of > logged in user. This vulnerability is hard to exploit > since it requires social engineering and shellcode has > to be injected as argument in vulnerable commands. > > The vulnerability is caused due to an error in the > Windows FTP client in validating commands like "mget", > "dir", "user", password and "ls" > > Exploitation method: > > Method 1: > -Send POC with payload to user. > -Social engineer victim to open it. > > Method 2: > -Attacker creates a directory with long folder or > filename in his FTP server (should be other than IIS > server) > -Persuade victim to run the command "mget", "ls" or > "dir" on specially crafted folder using microsoft ftp > client > -FTP client will crash and payload will get executed > > > Proof Of Concept: > http://www.xdisclose.com/poc/mget.bat.txt > http://www.xdisclose.com/poc/username.bat.txt > http://www.xdisclose.com/poc/directory.bat.txt > http://www.xdisclose.com/poc/list.bat.txt > > Note: Modify POC to connect to lab FTP Server > (As of now it will connect to > ftp://xdisclose.com) > > Demonstration: > Note: Demonstration leads to crashing of Microsoft FTP > Client > > Download POC rename to .bat file and execute anyone of > the batch file > http://www.xdisclose.com/poc/mget.bat.txt > http://www.xdisclose.com/poc/username.bat.txt > http://www.xdisclose.com/poc/directory.bat.txt > http://www.xdisclose.com/poc/list.bat.txt > > > Solution: > No Solution > > Screenshot: > http://www.xdisclose.com/images/msftpbof.jpg > > > Impact: > Successful exploitation may allows execution of > arbitrary code with privilege of currently logged in > user. > > Impact of the vulnerability is system level. > > > Original Advisory: > http://www.xdisclose.com/advisory/XD100096.html > > Credits: > Rajesh Sethumadhavan has been credited with the > discovery of this vulnerability > > > Disclaimer: > This entire document is strictly for educational, > testing and demonstrating purpose only. Modification > use and/or publishing this information is entirely on > your own risk. The exploit code/Proof Of Concept is to > be used on test environment only. I am not liable for > any direct or indirect damages caused as a result of > using the information or demonstrations provided in > any part of this advisory. > > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
