From e0e4aebcc1268a048057d9e7c5d2094e1ef44095 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Tue, 12 Oct 2010 18:39:21 +0000 Subject: [PATCH] fix a few stack bof vulnerability descriptions git-svn-id: file:///home/svn/framework3/trunk@10660 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/fileformat/digital_music_pad_pls.rb | 2 +- .../exploits/windows/ftp/aasync_list_reply.rb | 4 +++- .../windows/ftp/filewrangler_list_reply.rb | 8 ++++---- .../exploits/windows/ftp/ftpgetter_pwd_reply.rb | 6 ++++-- .../exploits/windows/ftp/ftppad_list_reply.rb | 15 +++++++-------- .../windows/ftp/ftpshell51_pwd_reply.rb | 7 ++++--- .../exploits/windows/ftp/ftpsynch_list_reply.rb | 17 ++++++++--------- .../exploits/windows/ftp/gekkomgr_list_reply.rb | 9 ++++----- .../exploits/windows/ftp/leapftp_list_reply.rb | 6 +++--- modules/exploits/windows/ftp/odin_list_reply.rb | 4 +++- .../exploits/windows/ftp/seagull_list_reply.rb | 12 ++++++------ modules/exploits/windows/http/hp_nnm_ovas.rb | 2 +- 12 files changed, 48 insertions(+), 44 deletions(-) diff --git a/modules/exploits/windows/fileformat/digital_music_pad_pls.rb b/modules/exploits/windows/fileformat/digital_music_pad_pls.rb index 2b8d5ab39f..54e5115d2b 100644 --- a/modules/exploits/windows/fileformat/digital_music_pad_pls.rb +++ b/modules/exploits/windows/fileformat/digital_music_pad_pls.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Digital Music Pad Version 8.2.3.3.4 SEH overflow', + 'Name' => 'Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4 When opening a malicious pls file with the Digital Music Pad, diff --git a/modules/exploits/windows/ftp/aasync_list_reply.rb b/modules/exploits/windows/ftp/aasync_list_reply.rb index 7dc8dc1653..54b4a34eaf 100644 --- a/modules/exploits/windows/ftp/aasync_list_reply.rb +++ b/modules/exploits/windows/ftp/aasync_list_reply.rb @@ -17,7 +17,9 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)', 'Description' => %q{ - This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten. + This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when + processing the response on a LIST command. During the overflow, a structured exception + handler record gets overwritten. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/filewrangler_list_reply.rb b/modules/exploits/windows/ftp/filewrangler_list_reply.rb index 1dd4f7ea35..38bbd48116 100644 --- a/modules/exploits/windows/ftp/filewrangler_list_reply.rb +++ b/modules/exploits/windows/ftp/filewrangler_list_reply.rb @@ -16,11 +16,11 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'FileWrangler 5.30 Buffer Overflow', + 'Name' => 'FileWrangler 5.30 Stack Buffer Overflow', 'Description' => %q{ - This module exploits an SEH overwrite in the FileWrangler client - that is triggered when the client connects to a FTP server and lists - the directory contents, containing an overly long directory name.. + This module exploits a buffer overflow in the FileWrangler client + that is triggered when the client connects to a FTP server and lists + the directory contents, containing an overly long directory name. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb b/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb index 06852db34e..2fc3ea16d2 100644 --- a/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb +++ b/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb @@ -18,8 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)', 'Description' => %q{ - This module exploits a SEH overflow in FTPGetter Standard v3.55.0.05 ftp client, triggered - when processing the response on a PWD command. + This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client. + When processing the response on a PWD command, a stack based buffer overflow occurs. + This leads to arbitrary code execution when a structured exception handler gets + overwritten. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/ftppad_list_reply.rb b/modules/exploits/windows/ftp/ftppad_list_reply.rb index 23f3007307..84ebc469fe 100644 --- a/modules/exploits/windows/ftp/ftppad_list_reply.rb +++ b/modules/exploits/windows/ftp/ftppad_list_reply.rb @@ -17,14 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FTPPad 1.2.0 Stack Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. - The overflow is triggered when the client connects to a FTP server - which sends an overly long directory and filename in response to a - LIST command. - This will cause an access violation, and will eventually overwrite the - saved extended instruction pointer. - Payload can be found at EDX+5c and ESI+5c, so a little pivot/sniper was needed - to make this one work. + This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is + triggered when the client connects to a FTP server which sends an overly long directory + and filename in response to a LIST command. + + This will cause an access violation, and will eventually overwrite the saved extended + instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/ + sniper was needed to make this one work. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb index 61aab0dd70..0a1d5a6615 100644 --- a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb +++ b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb @@ -17,9 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, 'Name' => 'FTPShell 5.1 Stack Buffer Overflow', - 'Description' => %q{ This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets - triggered when the ftp clients tries to process an overly response to a PWD command. - This will overwrite the saved EIP and structured exception handler. + 'Description' => %q{ + This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets + triggered when the ftp clients tries to process an overly response to a PWD command. + This will overwrite the saved EIP and structured exception handler. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/ftpsynch_list_reply.rb b/modules/exploits/windows/ftp/ftpsynch_list_reply.rb index f616bd6894..6ae2e4cdaa 100644 --- a/modules/exploits/windows/ftp/ftpsynch_list_reply.rb +++ b/modules/exploits/windows/ftp/ftpsynch_list_reply.rb @@ -15,14 +15,14 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'FTP Synchronizer Professional 4.0.73.274', - 'Description' => %q{ This module exploits a stack buffer overflow vulnerability in - FTP Synchronizer Pro 4.0.73.274 - The overflow gets triggered by sending an overly long filename to the client - in response to a LIST command. - The LIST command gets issued when doing a preview or when you have just created a new - sync profile and allow the tool to see the differences. - This will overwrite a structured exception handler and trigger an access violation. + 'Name' => 'FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro + version 4.0.73.274 The overflow gets triggered by sending an overly long filename to + the client in response to a LIST command. + The LIST command gets issued when doing a preview or when you have just created a new + sync profile and allow the tool to see the differences. + This will overwrite a structured exception handler and trigger an access violation. }, 'Author' => [ @@ -51,7 +51,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => 'Oct 12 2010', 'DefaultTarget' => 0)) - end def setup diff --git a/modules/exploits/windows/ftp/gekkomgr_list_reply.rb b/modules/exploits/windows/ftp/gekkomgr_list_reply.rb index 9c6c5ef49c..1d7b868b4b 100644 --- a/modules/exploits/windows/ftp/gekkomgr_list_reply.rb +++ b/modules/exploits/windows/ftp/gekkomgr_list_reply.rb @@ -16,12 +16,11 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Gekko Manager FTP Client Stack Buffer Overflow ', + 'Name' => 'Gekko Manager FTP Client Stack Buffer Overflow', 'Description' => %q{ - This module exploits a SEH overflow in Gekko Manager ftp client, triggered when - processing the response received after sending a LIST request. - If this response contains a long filename, a buffer overflow occurs, overwriting - a structured exception handler. + This module exploits a buffer overflow in Gekko Manager ftp client, triggered when + processing the response received after sending a LIST request. If this response contains + a long filename, a buffer overflow occurs, overwriting a structured exception handler. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/leapftp_list_reply.rb b/modules/exploits/windows/ftp/leapftp_list_reply.rb index f3258e09a9..29f44ff182 100644 --- a/modules/exploits/windows/ftp/leapftp_list_reply.rb +++ b/modules/exploits/windows/ftp/leapftp_list_reply.rb @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'LeapFTP 3.0.1. SEH Overwrite', + 'Name' => 'LeapFTP 3.0.1 Stack Buffer Overflow', 'Description' => %q{ - This module exploits a SEH overwrite in the LeapFTP 3.0.1 client - triggered when a file with a long name is downloaded/opened. + This module exploits a buffer overflow in the LeapFTP 3.0.1 client. + This issue is triggered when a file with a long name is downloaded/opened. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/odin_list_reply.rb b/modules/exploits/windows/ftp/odin_list_reply.rb index 66c8ea0c0f..9cfdbcd0c9 100644 --- a/modules/exploits/windows/ftp/odin_list_reply.rb +++ b/modules/exploits/windows/ftp/odin_list_reply.rb @@ -18,7 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)', 'Description' => %q{ - This module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten. + This module exploits a stack buffer overflow in Odin Secure FTP 4.1, + triggered when processing the response on a LIST command. During the overflow, + a structured exception handler record gets overwritten. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/seagull_list_reply.rb b/modules/exploits/windows/ftp/seagull_list_reply.rb index 36c0087ac6..8eacb631b4 100644 --- a/modules/exploits/windows/ftp/seagull_list_reply.rb +++ b/modules/exploits/windows/ftp/seagull_list_reply.rb @@ -16,12 +16,12 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Seagull FTP v3.3 build 409 Client', + 'Name' => 'Seagull FTP v3.3 build 409 Stack Buffer Overflow', 'Description' => %q{ - This module exploits a SEH overwrite in the Seagull FTP client that gets triggered - when the ftp clients processes a response to a LIST command. If the response contains - an overly long file/folder name, a buffer overflow occurs, overwriting a structured - exception handler.. + This module exploits a buffer overflow in the Seagull FTP client that gets + triggered when the ftp clients processes a response to a LIST command. If the + response contains an overly long file/folder name, a buffer overflow occurs, + overwriting a structured exception handler. }, 'Author' => [ @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) end - #--------------------------------------------------------------------------------- + #--------------------------------------------------------------------------------- def setup super diff --git a/modules/exploits/windows/http/hp_nnm_ovas.rb b/modules/exploits/windows/http/hp_nnm_ovas.rb index 10b3feb192..6af49766f3 100644 --- a/modules/exploits/windows/http/hp_nnm_ovas.rb +++ b/modules/exploits/windows/http/hp_nnm_ovas.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow', + 'Name' => 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the