Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulne

from [Peter Dawson] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Date: Wed, 28 Nov 2007 18:34:47 -0500 
Yeah ..

a) "Social engineer victim to open it."
b) "Persuade victim to run the command "

is kind funky..

On Nov 28, 2007 5:21 PM, Stan Bubrouski <stan.bubrouski@gmail.com> wrote:


Not to mention the obvious fact that if you have to trick someone into
running a batch file then you could probably just tell the genius to
execute a special EXE you crafted for them.

-sb

On Nov 28, 2007 4:43 PM, dev code <devcode29@hotmail.com> wrote:


 lolerowned, kinda like the 20 other non exploitable stack overflow
exceptions that someone else has been reporting on full disclosure
________________________________
Date: Wed, 28 Nov 2007 09:11:30 -0600
From: reepex@gmail.com
To: rajesh.sethumadhavan@yahoo.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple

Bufferoverflow

Vulnerability



so... what fuzzer that you didnt code did you use to find these amazing
vulns?

Also nice 'payload'  in your exploits meaning 'nice long lists of "a"s'.

You

should not claim code execution when your code does not perform it.

Well I guess it has been good talking until your fuzzer crashes another
application and you copy and paste the results


On 11/28/07, Rajesh Sethumadhavan <rajesh.sethumadhavan@yahoo.com>

wrote:

Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################

XDisclose Advisory      : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported       : November 28th 2007
Credit                  : Rajesh Sethumadhavan

Class                   : Buffer Overflow
                         Denial Of Service
Solution Status         : Unpatched
Vendor                  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform       : Windows 2000 server
                         Windows 2000 Professional
                         Windows XP
                         (Other Versions may be also effected)

#####################################################################


Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir"  on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
     (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
 http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.






____________________________________________________________________________________

Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


________________________________
Connect and share in new ways with Windows Live. Connect now!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  rPSA-2007-0252-1 cups poppler tetex tetex-afm tetex-dvips tetex-fonts tetex-latex tetex-xdvi, rPath Update Announcements
Next by Date:  [USN-548-1] Pidgin vulnerability, Kees Cook
Previous by Thread:  Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability, Stan Bubrouski
Next by Thread:  Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability, reepex
Indexes:  [Date] [Thread] [Top] [All Lists]