Yeah ..<br><br>a) "Social engineer victim to open it." <br>b) "Persuade victim to run the command "<br><br>is kind funky.. <br><br><div class="gmail_quote">On Nov 28, 2007 5:21 PM, Stan Bubrouski <<a href="mailto:stan.bubrouski@gmail.com">
stan.bubrouski@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Not to mention the obvious fact that if you have to trick someone into
<br>running a batch file then you could probably just tell the genius to<br>execute a special EXE you crafted for them.<br><font color="#888888"><br>-sb<br></font><div><div></div><div class="Wj3C7c"><br>On Nov 28, 2007 4:43 PM, dev code <
<a href="mailto:devcode29@hotmail.com">devcode29@hotmail.com</a>> wrote:<br>><br>> lolerowned, kinda like the 20 other non exploitable stack overflow<br>> exceptions that someone else has been reporting on full disclosure
<br>> ________________________________<br>> Date: Wed, 28 Nov 2007 09:11:30 -0600<br>> From: <a href="mailto:reepex@gmail.com">reepex@gmail.com</a><br>> To: <a href="mailto:rajesh.sethumadhavan@yahoo.com">rajesh.sethumadhavan@yahoo.com
</a>; <a href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</a><br>> Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow<br>> Vulnerability<br>><br>><br>>
<br>> so... what fuzzer that you didnt code did you use to find these amazing<br>> vulns?<br>><br>> Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You<br>> should not claim code execution when your code does not perform it.
<br>><br>> Well I guess it has been good talking until your fuzzer crashes another<br>> application and you copy and paste the results<br>><br>><br>> On 11/28/07, Rajesh Sethumadhavan <<a href="mailto:rajesh.sethumadhavan@yahoo.com">
rajesh.sethumadhavan@yahoo.com</a>> wrote:<br>> Microsoft FTP Client Multiple Bufferoverflow<br>> Vulnerability<br>><br>> #####################################################################<br>><br>> XDisclose Advisory : XD100096
<br>> Vulnerability Discovered: November 20th 2007<br>> Advisory Reported : November 28th 2007<br>> Credit : Rajesh Sethumadhavan<br>><br>> Class : Buffer Overflow<br>
> Denial Of Service<br>> Solution Status : Unpatched<br>> Vendor : Microsoft Corporation<br>> Affected applications : Microsoft FTP Client<br>> Affected Platform : Windows 2000 server
<br>> Windows 2000 Professional<br>> Windows XP<br>> (Other Versions may be also effected)<br>><br>> #####################################################################
<br>><br>><br>> Overview:<br>> Bufferoverflow vulnerability is discovered in<br>> microsoft ftp client. Attackers can crash the ftp<br>> client of the victim user by tricking the user.<br>><br>><br>
> Description:<br>> A remote attacker can craft packet with payload in the<br>> "mget", "ls", "dir", "username" and "password"<br>> commands as demonstrated below. When victim execute
<br>> POC or specially crafted packets, ftp client will<br>> crash possible arbitrary code execution in contest of<br>> logged in user. This vulnerability is hard to exploit<br>> since it requires social engineering and shellcode has
<br>> to be injected as argument in vulnerable commands.<br>><br>> The vulnerability is caused due to an error in the<br>> Windows FTP client in validating commands like "mget",<br>> "dir", "user", password and "ls"
<br>><br>> Exploitation method:<br>><br>> Method 1:<br>> -Send POC with payload to user.<br>> -Social engineer victim to open it.<br>><br>> Method 2:<br>> -Attacker creates a directory with long folder or
<br>> filename in his FTP server (should be other than IIS<br>> server)<br>> -Persuade victim to run the command "mget", "ls" or<br>> "dir" on specially crafted folder using microsoft ftp
<br>> client<br>> -FTP client will crash and payload will get executed<br>><br>><br>> Proof Of Concept:<br>> <a href="http://www.xdisclose.com/poc/mget.bat.txt" target="_blank">http://www.xdisclose.com/poc/mget.bat.txt
</a><br>> <a href="http://www.xdisclose.com/poc/username.bat.txt" target="_blank">http://www.xdisclose.com/poc/username.bat.txt</a><br>> <a href="http://www.xdisclose.com/poc/directory.bat.txt" target="_blank">http://www.xdisclose.com/poc/directory.bat.txt
</a><br>> <a href="http://www.xdisclose.com/poc/list.bat.txt" target="_blank">http://www.xdisclose.com/poc/list.bat.txt</a><br>><br>> Note: Modify POC to connect to lab FTP Server<br>> (As of now it will connect to
<br>> <a href="ftp://xdisclose.com" target="_blank">ftp://xdisclose.com</a>)<br>><br>> Demonstration:<br>> Note: Demonstration leads to crashing of Microsoft FTP<br>> Client<br>><br>> Download POC rename to .bat file and execute anyone of
<br>> the batch file<br>> <a href="http://www.xdisclose.com/poc/mget.bat.txt" target="_blank">http://www.xdisclose.com/poc/mget.bat.txt</a><br>> <a href="http://www.xdisclose.com/poc/username.bat.txt" target="_blank">
http://www.xdisclose.com/poc/username.bat.txt</a><br>> <a href="http://www.xdisclose.com/poc/directory.bat.txt" target="_blank">http://www.xdisclose.com/poc/directory.bat.txt</a><br>> <a href="http://www.xdisclose.com/poc/list.bat.txt" target="_blank">
http://www.xdisclose.com/poc/list.bat.txt</a><br>><br>><br>> Solution:<br>> No Solution<br>><br>> Screenshot:<br>> <a href="http://www.xdisclose.com/images/msftpbof.jpg" target="_blank">http://www.xdisclose.com/images/msftpbof.jpg
</a><br>><br>><br>> Impact:<br>> Successful exploitation may allows execution of<br>> arbitrary code with privilege of currently logged in<br>> user.<br>><br>> Impact of the vulnerability is system level.
<br>><br>><br>> Original Advisory:<br>> <a href="http://www.xdisclose.com/advisory/XD100096.html" target="_blank">http://www.xdisclose.com/advisory/XD100096.html</a><br>><br>> Credits:<br>> Rajesh Sethumadhavan has been credited with the
<br>> discovery of this vulnerability<br>><br>><br>> Disclaimer:<br>> This entire document is strictly for educational,<br>> testing and demonstrating purpose only. Modification<br>> use and/or publishing this information is entirely on
<br>> your own risk. The exploit code/Proof Of Concept is to<br>> be used on test environment only. I am not liable for<br>> any direct or indirect damages caused as a result of<br>> using the information or demonstrations provided in
<br>> any part of this advisory.<br>><br>><br>><br>><br>> ____________________________________________________________________________________<br>> Never miss a thing. Make Yahoo your home page.<br>>
<a href="http://www.yahoo.com/r/hs" target="_blank">http://www.yahoo.com/r/hs</a><br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>><br>><br>> ________________________________
<br>> Connect and share in new ways with Windows Live. Connect now!<br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>><br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></div></div></blockquote></div><br><br>