Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability

from [3APA3A] Network Security [Permanent Link]
Subject: Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Date: Thu, 29 Nov 2007 14:46:06 +0300 
Dear Rajesh Sethumadhavan,

 In  order to exploit this vulnerability you need to force victim to run
 attacker-supplied   BAT   file.   It's   like   forcing   user  to  run
 attacker-supplied  .sh script under Unix. No vulnerability here, except
 vulnerability  in human. The second scenario is better. All you need is
 to  force  user to type more than 1000 characters (including shellcode)
 in  filename  without  mistakes.  You  should  be extremaly good social
 engineer...

--Wednesday, November 28, 2007, 9:12:03 AM, you wrote to 
bugtraq@securityfocus.com:

RS> Exploitation method:

RS> Method 1:
RS> -Send POC with payload to user.
RS> -Social engineer victim to open it.

RS> Method 2:
RS> -Attacker creates a directory with long folder or
RS> filename in his FTP server (should be other than IIS
RS> server)
RS> -Persuade victim to run the command "mget", "ls" or
RS> "dir"  on specially crafted folder using microsoft ftp
RS> client
RS> -FTP client will crash and payload will get executed


RS> Proof Of Concept:
RS> http://www.xdisclose.com/poc/mget.bat.txt
RS> http://www.xdisclose.com/poc/username.bat.txt
RS> http://www.xdisclose.com/poc/directory.bat.txt
RS> http://www.xdisclose.com/poc/list.bat.txt

RS> Note: Modify POC to connect to lab FTP Server
RS>       (As of now it will connect to
RS> ftp://xdisclose.com)

RS> Demonstration:
RS> Note: Demonstration leads to crashing of Microsoft FTP
RS> Client

RS> Download POC rename to .bat file and execute anyone of
RS> the batch file
RS> http://www.xdisclose.com/poc/mget.bat.txt
RS> http://www.xdisclose.com/poc/username.bat.txt
RS> http://www.xdisclose.com/poc/directory.bat.txt
RS> http://www.xdisclose.com/poc/list.bat.txt


RS> Solution:
RS> No Solution

RS> Screenshot:
RS> http://www.xdisclose.com/images/msftpbof.jpg


RS> Impact:
RS> Successful exploitation may allows execution of
RS> arbitrary code with privilege of currently logged in
RS> user.

RS> Impact of the vulnerability is system level.


RS> Original Advisory:
RS> http://www.xdisclose.com/advisory/XD100096.html

RS> Credits:
RS> Rajesh Sethumadhavan has been credited with the
RS> discovery of this vulnerability


RS> Disclaimer:
RS> This entire document is strictly for educational,
RS> testing and demonstrating purpose only. Modification
RS> use and/or publishing this information is entirely on
RS> your own risk. The exploit code/Proof Of Concept is to
RS> be used on test environment only. I am not liable for
RS> any direct or indirect damages caused as a result of
RS> using the information or demonstrations provided in
RS> any part of this advisory.



RS>      
RS> 
____________________________________________________________________________________
RS> Be a better pen pal. 
RS> Text or chat with friends inside Yahoo! Mail. See how.  
http://overview.mail.yahoo.com/


-- 
~/ZARAZA http://securityvulns.com/
Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì.  (Ëåì)
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  APC Management Vulnerability, garys
Next by Date:  FreeBSD Security Advisory FreeBSD-SA-07:10.gtar, FreeBSD Security Advisories
Previous by Thread:  Microsoft FTP Client Multiple Bufferoverflow Vulnerability, Rajesh Sethumadhavan
Next by Thread:  Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]