module
ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability
| Disclosed | Created |
|---|---|
| Jun 8, 2012 | May 30, 2018 |
Disclosed
Jun 8, 2012
Created
May 30, 2018
Description
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
crafted format string specifier as a username. The crafted username is sent to the server to
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
The SEH exit function is preferred so that the administrators are not left with an unhandled
exception message. When using the meterpreter payload, the process will never die, allowing
for continuous exploitation.
crafted format string specifier as a username. The crafted username is sent to the server to
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
The SEH exit function is preferred so that the administrators are not left with an unhandled
exception message. When using the meterpreter payload, the process will never die, allowing
for continuous exploitation.
Authors
ChaoYi Huang ChaoYi.Huang@connect.polyu.hk
rick2600 rick2600@corelan.be
mr_me mr_me@corelan.be
corelanc0d3r peter.ve@corelan.be
rick2600 rick2600@corelan.be
mr_me mr_me@corelan.be
corelanc0d3r peter.ve@corelan.be
Platform
Windows
Architectures
x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.