<div>so... what fuzzer that you didnt code did you use to find these amazing vulns?</div>
<div> </div>
<div>Also nice 'payload' in your exploits meaning 'nice long lists of "a"s'. You should not claim code execution when your code does not perform it.</div>
<div> </div>
<div>Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results<br><br> </div>
<div><span class="gmail_quote">On 11/28/07, <b class="gmail_sendername">Rajesh Sethumadhavan</b> <<a href="mailto:rajesh.sethumadhavan@yahoo.com">rajesh.sethumadhavan@yahoo.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Microsoft FTP Client Multiple Bufferoverflow<br>Vulnerability<br><br>#####################################################################
<br><br>XDisclose Advisory : XD100096<br>Vulnerability Discovered: November 20th 2007<br>Advisory Reported : November 28th 2007<br>Credit : Rajesh Sethumadhavan<br><br>Class : Buffer Overflow
<br> Denial Of Service<br>Solution Status : Unpatched<br>Vendor : Microsoft Corporation<br>Affected applications : Microsoft FTP Client<br>Affected Platform : Windows 2000 server
<br> Windows 2000 Professional<br> Windows XP<br> (Other Versions may be also effected)<br><br>#####################################################################
<br><br><br>Overview:<br>Bufferoverflow vulnerability is discovered in<br>microsoft ftp client. Attackers can crash the ftp<br>client of the victim user by tricking the user.<br><br><br>Description:<br>A remote attacker can craft packet with payload in the
<br>"mget", "ls", "dir", "username" and "password"<br>commands as demonstrated below. When victim execute<br>POC or specially crafted packets, ftp client will<br>crash possible arbitrary code execution in contest of
<br>logged in user. This vulnerability is hard to exploit<br>since it requires social engineering and shellcode has<br>to be injected as argument in vulnerable commands.<br><br>The vulnerability is caused due to an error in the
<br>Windows FTP client in validating commands like "mget",<br>"dir", "user", password and "ls"<br><br>Exploitation method:<br><br>Method 1:<br>-Send POC with payload to user.<br>-Social engineer victim to open it.
<br><br>Method 2:<br>-Attacker creates a directory with long folder or<br>filename in his FTP server (should be other than IIS<br>server)<br>-Persuade victim to run the command "mget", "ls" or<br>"dir" on specially crafted folder using microsoft ftp
<br>client<br>-FTP client will crash and payload will get executed<br><br><br>Proof Of Concept:<br><a href="http://www.xdisclose.com/poc/mget.bat.txt">http://www.xdisclose.com/poc/mget.bat.txt</a><br><a href="http://www.xdisclose.com/poc/username.bat.txt">
http://www.xdisclose.com/poc/username.bat.txt</a><br><a href="http://www.xdisclose.com/poc/directory.bat.txt">http://www.xdisclose.com/poc/directory.bat.txt</a><br><a href="http://www.xdisclose.com/poc/list.bat.txt">http://www.xdisclose.com/poc/list.bat.txt
</a><br><br>Note: Modify POC to connect to lab FTP Server<br> (As of now it will connect to<br><a href="ftp://xdisclose.com">ftp://xdisclose.com</a>)<br><br>Demonstration:<br>Note: Demonstration leads to crashing of Microsoft FTP
<br>Client<br><br>Download POC rename to .bat file and execute anyone of<br>the batch file<br><a href="http://www.xdisclose.com/poc/mget.bat.txt">http://www.xdisclose.com/poc/mget.bat.txt</a><br><a href="http://www.xdisclose.com/poc/username.bat.txt">
http://www.xdisclose.com/poc/username.bat.txt</a><br><a href="http://www.xdisclose.com/poc/directory.bat.txt">http://www.xdisclose.com/poc/directory.bat.txt</a><br><a href="http://www.xdisclose.com/poc/list.bat.txt">http://www.xdisclose.com/poc/list.bat.txt
</a><br><br><br>Solution:<br>No Solution<br><br>Screenshot:<br><a href="http://www.xdisclose.com/images/msftpbof.jpg">http://www.xdisclose.com/images/msftpbof.jpg</a><br><br><br>Impact:<br>Successful exploitation may allows execution of
<br>arbitrary code with privilege of currently logged in<br>user.<br><br>Impact of the vulnerability is system level.<br><br><br>Original Advisory:<br><a href="http://www.xdisclose.com/advisory/XD100096.html">http://www.xdisclose.com/advisory/XD100096.html
</a><br><br>Credits:<br>Rajesh Sethumadhavan has been credited with the<br>discovery of this vulnerability<br><br><br>Disclaimer:<br>This entire document is strictly for educational,<br>testing and demonstrating purpose only. Modification
<br>use and/or publishing this information is entirely on<br>your own risk. The exploit code/Proof Of Concept is to<br>be used on test environment only. I am not liable for<br>any direct or indirect damages caused as a result of
<br>using the information or demonstrations provided in<br>any part of this advisory.<br><br><br><br> ____________________________________________________________________________________<br>Never miss a thing. Make Yahoo your home page.
<br><a href="http://www.yahoo.com/r/hs">http://www.yahoo.com/r/hs</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>