Not to mention the obvious fact that if you have to trick someone into running a batch file then you could probably just tell the genius to execute a special EXE you crafted for them.
-sb On Nov 28, 2007 4:43 PM, dev code <[EMAIL PROTECTED]> wrote: > > lolerowned, kinda like the 20 other non exploitable stack overflow > exceptions that someone else has been reporting on full disclosure > ________________________________ > Date: Wed, 28 Nov 2007 09:11:30 -0600 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow > Vulnerability > > > > so... what fuzzer that you didnt code did you use to find these amazing > vulns? > > Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You > should not claim code execution when your code does not perform it. > > Well I guess it has been good talking until your fuzzer crashes another > application and you copy and paste the results > > > On 11/28/07, Rajesh Sethumadhavan <[EMAIL PROTECTED]> wrote: > Microsoft FTP Client Multiple Bufferoverflow > Vulnerability > > ##################################################################### > > XDisclose Advisory : XD100096 > Vulnerability Discovered: November 20th 2007 > Advisory Reported : November 28th 2007 > Credit : Rajesh Sethumadhavan > > Class : Buffer Overflow > Denial Of Service > Solution Status : Unpatched > Vendor : Microsoft Corporation > Affected applications : Microsoft FTP Client > Affected Platform : Windows 2000 server > Windows 2000 Professional > Windows XP > (Other Versions may be also effected) > > ##################################################################### > > > Overview: > Bufferoverflow vulnerability is discovered in > microsoft ftp client. Attackers can crash the ftp > client of the victim user by tricking the user. > > > Description: > A remote attacker can craft packet with payload in the > "mget", "ls", "dir", "username" and "password" > commands as demonstrated below. When victim execute > POC or specially crafted packets, ftp client will > crash possible arbitrary code execution in contest of > logged in user. This vulnerability is hard to exploit > since it requires social engineering and shellcode has > to be injected as argument in vulnerable commands. > > The vulnerability is caused due to an error in the > Windows FTP client in validating commands like "mget", > "dir", "user", password and "ls" > > Exploitation method: > > Method 1: > -Send POC with payload to user. > -Social engineer victim to open it. > > Method 2: > -Attacker creates a directory with long folder or > filename in his FTP server (should be other than IIS > server) > -Persuade victim to run the command "mget", "ls" or > "dir" on specially crafted folder using microsoft ftp > client > -FTP client will crash and payload will get executed > > > Proof Of Concept: > http://www.xdisclose.com/poc/mget.bat.txt > http://www.xdisclose.com/poc/username.bat.txt > http://www.xdisclose.com/poc/directory.bat.txt > http://www.xdisclose.com/poc/list.bat.txt > > Note: Modify POC to connect to lab FTP Server > (As of now it will connect to > ftp://xdisclose.com) > > Demonstration: > Note: Demonstration leads to crashing of Microsoft FTP > Client > > Download POC rename to .bat file and execute anyone of > the batch file > http://www.xdisclose.com/poc/mget.bat.txt > http://www.xdisclose.com/poc/username.bat.txt > http://www.xdisclose.com/poc/directory.bat.txt > http://www.xdisclose.com/poc/list.bat.txt > > > Solution: > No Solution > > Screenshot: > http://www.xdisclose.com/images/msftpbof.jpg > > > Impact: > Successful exploitation may allows execution of > arbitrary code with privilege of currently logged in > user. > > Impact of the vulnerability is system level. > > > Original Advisory: > http://www.xdisclose.com/advisory/XD100096.html > > Credits: > Rajesh Sethumadhavan has been credited with the > discovery of this vulnerability > > > Disclaimer: > This entire document is strictly for educational, > testing and demonstrating purpose only. Modification > use and/or publishing this information is entirely on > your own risk. The exploit code/Proof Of Concept is to > be used on test environment only. I am not liable for > any direct or indirect damages caused as a result of > using the information or demonstrations provided in > any part of this advisory. > > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ________________________________ > Connect and share in new ways with Windows Live. Connect now! > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
