| 软件名称: |
xp_ws_ftp_server.rar |
| 文件类型: |
|
|
| 界面语言: |
简体中文 |
| 软件类型: |
国产软件 |
| 运行环境: |
WinNT/2K/Xp |
| 授权方式: |
共享软件 |
| 软件大小: |
17K |
| 软件等级: |
★★★★☆ |
| 发布时间: |
2004-03-25 |
| 官方网址: |
http://vfocus.net 作者:Hugh Mann |
| 演示网址: |
|
| 软件说明: |
|
* Ipswitch WS_FTP Server <= 4.0.2 RETR/STAT exploit
* (c)2004 Hugh Mann hughmann@hotmail.com
*
* This exploit has been tested with WS_FTP Server 4.0.2.EVAL, Windows XP SP1
Description
~~~~~~~~~~~
A remote user who has write access to a directory can execute arbitrary code
due to a buffer overflow in WS_FTP Server's STAT command when downloading a
file the user created. This is difficult to exploit since the username would
have to be pretty long. If the user has more privilege and can change its
username it's easily exploited.
Details
~~~~~~~
There are four types of user privileges. In order of user with highest
privilege:
1. FTP System Administrator users (can change everything)
2. FTP Host Administrator users (can change everyhing on his/her FTP host)
3. Users
4. Anonymous users
Only (1) and (2) can change a user's name. (3) would most likely have to ask
(1) or (2) to change the username to a much longer name to exploit this, but
if the FTP host name is really long it may not be necessary. So to be 100%
sure we can exploit this, the user must be (2) because (2) can add users and
change their names. A remote (1) can already execute arbitrary files.
A FTP host administrator must log in with the XAUT FTP command or he/she
won't be able to use any useful SITE commands. Apparently Ipswitch thinks
the "encrypted" XAUT string is much safer than plaintext USER/PASS.
The stack-based buffer overflow occurs whenever the user uploads/downloads a
file and at the same time sends a STAT command (no options). The WS_FTP
Server sends a 211 reply with the status of the download. This string
contains the FTP host name, IP address, username, filename, and number of
bytes sent/left. This is a long string (more than 200 unformatted bytes)
which, with any filename and possibly a long FTP hostname / username, can
overflow a 512-byte buffer on the stack. "filename" is exactly the same
filename string the user asked the FTP server to send. The filename contains
the shellcode and can be max 256 characters long.
|
|
| 下载地址: |
进入下载地址列表
|
| 下载说明: |
☉推荐使用网际快车下载本站软件,使用 WinRAR v3.10 以上版本解压本站软件。
☉如果这个软件总是不能下载的请点击报告错误,谢谢合作!!
☉下载本站资源,如果服务器暂不能下载请过一段时间重试!
☉如果遇到什么问题,请到本站论坛去咨寻,我们将在那里提供更多 、更好的资源!
☉本站提供的一些商业软件是供学习研究之用,如用于商业用途,请购买正版。 |
|
[ 推荐]
[ 评论(0条)] [返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
