woah woah watch your words many people on fd make their career based on 1) and 2) so dont diss them unless you want to start an e-war
On 11/28/07, Peter Dawson <[EMAIL PROTECTED]> wrote: > > Yeah .. > > a) "Social engineer victim to open it." > b) "Persuade victim to run the command " > > is kind funky.. > > On Nov 28, 2007 5:21 PM, Stan Bubrouski < [EMAIL PROTECTED]> wrote: > > > Not to mention the obvious fact that if you have to trick someone into > > running a batch file then you could probably just tell the genius to > > execute a special EXE you crafted for them. > > > > -sb > > > > On Nov 28, 2007 4:43 PM, dev code < [EMAIL PROTECTED]> wrote: > > > > > > lolerowned, kinda like the 20 other non exploitable stack overflow > > > exceptions that someone else has been reporting on full disclosure > > > ________________________________ > > > Date: Wed, 28 Nov 2007 09:11:30 -0600 > > > From: [EMAIL PROTECTED] > > > To: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk > > > Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple > > Bufferoverflow > > > Vulnerability > > > > > > > > > > > > so... what fuzzer that you didnt code did you use to find these > > amazing > > > vulns? > > > > > > Also nice 'payload' in your exploits meaning 'nice long lists of > > "a"s'. You > > > should not claim code execution when your code does not perform it. > > > > > > Well I guess it has been good talking until your fuzzer crashes > > another > > > application and you copy and paste the results > > > > > > > > > On 11/28/07, Rajesh Sethumadhavan < [EMAIL PROTECTED]> > > wrote: > > > Microsoft FTP Client Multiple Bufferoverflow > > > Vulnerability > > > > > > ##################################################################### > > > > > > XDisclose Advisory : XD100096 > > > Vulnerability Discovered: November 20th 2007 > > > Advisory Reported : November 28th 2007 > > > Credit : Rajesh Sethumadhavan > > > > > > Class : Buffer Overflow > > > Denial Of Service > > > Solution Status : Unpatched > > > Vendor : Microsoft Corporation > > > Affected applications : Microsoft FTP Client > > > Affected Platform : Windows 2000 server > > > Windows 2000 Professional > > > Windows XP > > > (Other Versions may be also effected) > > > > > > ##################################################################### > > > > > > > > > Overview: > > > Bufferoverflow vulnerability is discovered in > > > microsoft ftp client. Attackers can crash the ftp > > > client of the victim user by tricking the user. > > > > > > > > > Description: > > > A remote attacker can craft packet with payload in the > > > "mget", "ls", "dir", "username" and "password" > > > commands as demonstrated below. When victim execute > > > POC or specially crafted packets, ftp client will > > > crash possible arbitrary code execution in contest of > > > logged in user. This vulnerability is hard to exploit > > > since it requires social engineering and shellcode has > > > to be injected as argument in vulnerable commands. > > > > > > The vulnerability is caused due to an error in the > > > Windows FTP client in validating commands like "mget", > > > "dir", "user", password and "ls" > > > > > > Exploitation method: > > > > > > Method 1: > > > -Send POC with payload to user. > > > -Social engineer victim to open it. > > > > > > Method 2: > > > -Attacker creates a directory with long folder or > > > filename in his FTP server (should be other than IIS > > > server) > > > -Persuade victim to run the command "mget", "ls" or > > > "dir" on specially crafted folder using microsoft ftp > > > client > > > -FTP client will crash and payload will get executed > > > > > > > > > Proof Of Concept: > > > http://www.xdisclose.com/poc/mget.bat.txt > > > http://www.xdisclose.com/poc/username.bat.txt > > > http://www.xdisclose.com/poc/directory.bat.txt > > > http://www.xdisclose.com/poc/list.bat.txt > > > > > > Note: Modify POC to connect to lab FTP Server > > > (As of now it will connect to > > > ftp://xdisclose.com) > > > > > > Demonstration: > > > Note: Demonstration leads to crashing of Microsoft FTP > > > Client > > > > > > Download POC rename to .bat file and execute anyone of > > > the batch file > > > http://www.xdisclose.com/poc/mget.bat.txt > > > http://www.xdisclose.com/poc/username.bat.txt > > > http://www.xdisclose.com/poc/directory.bat.txt > > > http://www.xdisclose.com/poc/list.bat.txt > > > > > > > > > Solution: > > > No Solution > > > > > > Screenshot: > > > http://www.xdisclose.com/images/msftpbof.jpg > > > > > > > > > Impact: > > > Successful exploitation may allows execution of > > > arbitrary code with privilege of currently logged in > > > user. > > > > > > Impact of the vulnerability is system level. > > > > > > > > > Original Advisory: > > > http://www.xdisclose.com/advisory/XD100096.html > > > > > > Credits: > > > Rajesh Sethumadhavan has been credited with the > > > discovery of this vulnerability > > > > > > > > > Disclaimer: > > > This entire document is strictly for educational, > > > testing and demonstrating purpose only. Modification > > > use and/or publishing this information is entirely on > > > your own risk. The exploit code/Proof Of Concept is to > > > be used on test environment only. I am not liable for > > > any direct or indirect damages caused as a result of > > > using the information or demonstrations provided in > > > any part of this advisory. > > > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Never miss a thing. Make Yahoo your home page. > > > http://www.yahoo.com/r/hs > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > ________________________________ > > > Connect and share in new ways with Windows Live. Connect now! > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
