Re: Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Dear Rajesh Sethumadhavan,
In order to exploit this vulnerability you need to force victim to run
attacker-supplied BAT file. It's like forcing user to run
attacker-supplied .sh script under Unix. No vulnerability here, except
vulnerability in human. The second scenario is better. All you need is
to force user to type more than 1000 characters (including shellcode)
in filename without mistakes. You should be extremaly good social
engineer...
--Wednesday, November 28, 2007, 9:12:03 AM, you wrote to
bugtraq@xxxxxxxxxxxxxxxxx:
RS> Exploitation method:
RS> Method 1:
RS> -Send POC with payload to user.
RS> -Social engineer victim to open it.
RS> Method 2:
RS> -Attacker creates a directory with long folder or
RS> filename in his FTP server (should be other than IIS
RS> server)
RS> -Persuade victim to run the command "mget", "ls" or
RS> "dir" on specially crafted folder using microsoft ftp
RS> client
RS> -FTP client will crash and payload will get executed
RS> Proof Of Concept:
RS> http://www.xdisclose.com/poc/mget.bat.txt
RS> http://www.xdisclose.com/poc/username.bat.txt
RS> http://www.xdisclose.com/poc/directory.bat.txt
RS> http://www.xdisclose.com/poc/list.bat.txt
RS> Note: Modify POC to connect to lab FTP Server
RS> (As of now it will connect to
RS> ftp://xdisclose.com)
RS> Demonstration:
RS> Note: Demonstration leads to crashing of Microsoft FTP
RS> Client
RS> Download POC rename to .bat file and execute anyone of
RS> the batch file
RS> http://www.xdisclose.com/poc/mget.bat.txt
RS> http://www.xdisclose.com/poc/username.bat.txt
RS> http://www.xdisclose.com/poc/directory.bat.txt
RS> http://www.xdisclose.com/poc/list.bat.txt
RS> Solution:
RS> No Solution
RS> Screenshot:
RS> http://www.xdisclose.com/images/msftpbof.jpg
RS> Impact:
RS> Successful exploitation may allows execution of
RS> arbitrary code with privilege of currently logged in
RS> user.
RS> Impact of the vulnerability is system level.
RS> Original Advisory:
RS> http://www.xdisclose.com/advisory/XD100096.html
RS> Credits:
RS> Rajesh Sethumadhavan has been credited with the
RS> discovery of this vulnerability
RS> Disclaimer:
RS> This entire document is strictly for educational,
RS> testing and demonstrating purpose only. Modification
RS> use and/or publishing this information is entirely on
RS> your own risk. The exploit code/Proof Of Concept is to
RS> be used on test environment only. I am not liable for
RS> any direct or indirect damages caused as a result of
RS> using the information or demonstrations provided in
RS> any part of this advisory.
RS>
RS>
____________________________________________________________________________________
RS> Be a better pen pal.
RS> Text or chat with friends inside Yahoo! Mail. See how.
http://overview.mail.yahoo.com/
--
~/ZARAZA http://securityvulns.com/
Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)