Dear Rajesh Sethumadhavan, In order to exploit this vulnerability you need to force victim to run attacker-supplied BAT file. It's like forcing user to run attacker-supplied .sh script under Unix. No vulnerability here, except vulnerability in human. The second scenario is better. All you need is to force user to type more than 1000 characters (including shellcode) in filename without mistakes. You should be extremaly good social engineer... --Wednesday, November 28, 2007, 9:12:03 AM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: RS> Exploitation method: RS> Method 1: RS> -Send POC with payload to user. RS> -Social engineer victim to open it. RS> Method 2: RS> -Attacker creates a directory with long folder or RS> filename in his FTP server (should be other than IIS RS> server) RS> -Persuade victim to run the command "mget", "ls" or RS> "dir" on specially crafted folder using microsoft ftp RS> client RS> -FTP client will crash and payload will get executed RS> Proof Of Concept: RS> http://www.xdisclose.com/poc/mget.bat.txt RS> http://www.xdisclose.com/poc/username.bat.txt RS> http://www.xdisclose.com/poc/directory.bat.txt RS> http://www.xdisclose.com/poc/list.bat.txt RS> Note: Modify POC to connect to lab FTP Server RS> (As of now it will connect to RS> ftp://xdisclose.com) RS> Demonstration: RS> Note: Demonstration leads to crashing of Microsoft FTP RS> Client RS> Download POC rename to .bat file and execute anyone of RS> the batch file RS> http://www.xdisclose.com/poc/mget.bat.txt RS> http://www.xdisclose.com/poc/username.bat.txt RS> http://www.xdisclose.com/poc/directory.bat.txt RS> http://www.xdisclose.com/poc/list.bat.txt RS> Solution: RS> No Solution RS> Screenshot: RS> http://www.xdisclose.com/images/msftpbof.jpg RS> Impact: RS> Successful exploitation may allows execution of RS> arbitrary code with privilege of currently logged in RS> user. RS> Impact of the vulnerability is system level. RS> Original Advisory: RS> http://www.xdisclose.com/advisory/XD100096.html RS> Credits: RS> Rajesh Sethumadhavan has been credited with the RS> discovery of this vulnerability RS> Disclaimer: RS> This entire document is strictly for educational, RS> testing and demonstrating purpose only. Modification RS> use and/or publishing this information is entirely on RS> your own risk. The exploit code/Proof Of Concept is to RS> be used on test environment only. I am not liable for RS> any direct or indirect damages caused as a result of RS> using the information or demonstrations provided in RS> any part of this advisory. RS> RS> ____________________________________________________________________________________ RS> Be a better pen pal. RS> Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ -- ~/ZARAZA http://securityvulns.com/ Îñîáóþ ïðîáëåìó ñîñòàâëÿåò àëêîãîëèçì. (Ëåì)
