<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure<br><blockquote><hr>Date: Wed, 28 Nov 2007 09:11:30 -0600<br>From: reepex@gmail.com<br>To: rajesh.sethumadhavan@yahoo.com; full-disclosure@lists.grok.org.uk<br>Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability<br><br><div>so... what fuzzer that you didnt code did you use to find these amazing vulns?</div>
<div> </div>
<div>Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it.</div>
<div> </div>
<div>Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results<br><br> </div>
<div><span class="EC_gmail_quote">On 11/28/07, <b class="EC_gmail_sendername">Rajesh Sethumadhavan</b> <<a href="mailto:rajesh.sethumadhavan@yahoo.com">rajesh.sethumadhavan@yahoo.com</a>> wrote:</span>
<blockquote class="EC_gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Microsoft FTP Client Multiple Bufferoverflow<br>Vulnerability<br><br>#####################################################################
<br><br>XDisclose Advisory : XD100096<br>Vulnerability Discovered: November 20th 2007<br>Advisory Reported : November 28th 2007<br>Credit : Rajesh Sethumadhavan<br><br>Class : Buffer Overflow
<br> Denial Of Service<br>Solution Status : Unpatched<br>Vendor : Microsoft Corporation<br>Affected applications : Microsoft FTP Client<br>Affected Platform : Windows 2000 server
<br> Windows 2000 Professional<br> Windows XP<br> (Other Versions may be also effected)<br><br>#####################################################################
<br><br><br>Overview:<br>Bufferoverflow vulnerability is discovered in<br>microsoft ftp client. Attackers can crash the ftp<br>client of the victim user by tricking the user.<br><br><br>Description:<br>A remote attacker can craft packet with payload in the
<br>"mget", "ls", "dir", "username" and "password"<br>commands as demonstrated below. When victim execute<br>POC or specially crafted packets, ftp client will<br>crash possible arbitrary code execution in contest of
<br>logged in user. This vulnerability is hard to exploit<br>since it requires social engineering and shellcode has<br>to be injected as argument in vulnerable commands.<br><br>The vulnerability is caused due to an error in the
<br>Windows FTP client in validating commands like "mget",<br>"dir", "user", password and "ls"<br><br>Exploitation method:<br><br>Method 1:<br>-Send POC with payload to user.<br>-Social engineer victim to open it.
<br><br>Method 2:<br>-Attacker creates a directory with long folder or<br>filename in his FTP server (should be other than IIS<br>server)<br>-Persuade victim to run the command "mget", "ls" or<br>"dir" on specially crafted folder using microsoft ftp
<br>client<br>-FTP client will crash and payload will get executed<br><br><br>Proof Of Concept:<br><a href="http://www.xdisclose.com/poc/mget.bat.txt" target="_blank">http://www.xdisclose.com/poc/mget.bat.txt</a><br><a href="http://www.xdisclose.com/poc/username.bat.txt" target="_blank">
http://www.xdisclose.com/poc/username.bat.txt</a><br><a href="http://www.xdisclose.com/poc/directory.bat.txt" target="_blank">http://www.xdisclose.com/poc/directory.bat.txt</a><br><a href="http://www.xdisclose.com/poc/list.bat.txt" target="_blank">http://www.xdisclose.com/poc/list.bat.txt
</a><br><br>Note: Modify POC to connect to lab FTP Server<br> (As of now it will connect to<br><a href="ftp://xdisclose.com" target="_blank">ftp://xdisclose.com</a>)<br><br>Demonstration:<br>Note: Demonstration leads to crashing of Microsoft FTP
<br>Client<br><br>Download POC rename to .bat file and execute anyone of<br>the batch file<br><a href="http://www.xdisclose.com/poc/mget.bat.txt" target="_blank">http://www.xdisclose.com/poc/mget.bat.txt</a><br><a href="http://www.xdisclose.com/poc/username.bat.txt" target="_blank">
http://www.xdisclose.com/poc/username.bat.txt</a><br><a href="http://www.xdisclose.com/poc/directory.bat.txt" target="_blank">http://www.xdisclose.com/poc/directory.bat.txt</a><br><a href="http://www.xdisclose.com/poc/list.bat.txt" target="_blank">http://www.xdisclose.com/poc/list.bat.txt
</a><br><br><br>Solution:<br>No Solution<br><br>Screenshot:<br><a href="http://www.xdisclose.com/images/msftpbof.jpg" target="_blank">http://www.xdisclose.com/images/msftpbof.jpg</a><br><br><br>Impact:<br>Successful exploitation may allows execution of
<br>arbitrary code with privilege of currently logged in<br>user.<br><br>Impact of the vulnerability is system level.<br><br><br>Original Advisory:<br><a href="http://www.xdisclose.com/advisory/XD100096.html" target="_blank">http://www.xdisclose.com/advisory/XD100096.html
</a><br><br>Credits:<br>Rajesh Sethumadhavan has been credited with the<br>discovery of this vulnerability<br><br><br>Disclaimer:<br>This entire document is strictly for educational,<br>testing and demonstrating purpose only. Modification
<br>use and/or publishing this information is entirely on<br>your own risk. The exploit code/Proof Of Concept is to<br>be used on test environment only. I am not liable for<br>any direct or indirect damages caused as a result of
<br>using the information or demonstrations provided in<br>any part of this advisory.<br><br><br><br> ____________________________________________________________________________________<br>Never miss a thing. Make Yahoo your home page.
<br><a href="http://www.yahoo.com/r/hs" target="_blank">http://www.yahoo.com/r/hs</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>
</blockquote><br /><hr />Connect and share in new ways with Windows Live. <a href='http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007' target='_new'>Connect now!</a></body>
</html>