首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全工具>攻击程序>软件详细
软件名称:  xp_ws_ftp_server.rar
文件类型:  
界面语言:  简体中文
软件类型:  国产软件
运行环境:  WinNT/2K/Xp
授权方式:  共享软件
软件大小:  17K
软件等级:  ★★★★☆
发布时间:  2004-03-25
官方网址: http://vfocus.net 作者:Hugh Mann
演示网址:
软件说明:  
* Ipswitch WS_FTP Server <= 4.0.2 RETR/STAT exploit
* (c)2004 Hugh Mann hughmann@hotmail.com
*
* This exploit has been tested with WS_FTP Server 4.0.2.EVAL, Windows XP SP1
Description
~~~~~~~~~~~
A remote user who has write access to a directory can execute arbitrary code
due to a buffer overflow in WS_FTP Server's STAT command when downloading a
file the user created. This is difficult to exploit since the username would
have to be pretty long. If the user has more privilege and can change its
username it's easily exploited.

Details
~~~~~~~
There are four types of user privileges. In order of user with highest
privilege:

1. FTP System Administrator users (can change everything)
2. FTP Host Administrator users (can change everyhing on his/her FTP host)
3. Users
4. Anonymous users

Only (1) and (2) can change a user's name. (3) would most likely have to ask
(1) or (2) to change the username to a much longer name to exploit this, but
if the FTP host name is really long it may not be necessary. So to be 100%
sure we can exploit this, the user must be (2) because (2) can add users and
change their names. A remote (1) can already execute arbitrary files.

A FTP host administrator must log in with the XAUT FTP command or he/she
won't be able to use any useful SITE commands. Apparently Ipswitch thinks
the "encrypted" XAUT string is much safer than plaintext USER/PASS.

The stack-based buffer overflow occurs whenever the user uploads/downloads a
file and at the same time sends a STAT command (no options). The WS_FTP
Server sends a 211 reply with the status of the download. This string
contains the FTP host name, IP address, username, filename, and number of
bytes sent/left. This is a long string (more than 200 unformatted bytes)
which, with any filename and possibly a long FTP hostname / username, can
overflow a 512-byte buffer on the stack. "filename" is exactly the same
filename string the user asked the FTP server to send. The filename contains
the shellcode and can be max 256 characters long.
下载地址: 进入下载地址列表
下载说明: ☉推荐使用网际快车下载本站软件,使用 WinRAR v3.10 以上版本解压本站软件。
☉如果这个软件总是不能下载的请点击报告错误,谢谢合作!!
☉下载本站资源,如果服务器暂不能下载请过一段时间重试!
☉如果遇到什么问题,请到本站论坛去咨寻,我们将在那里提供更多 、更好的资源!
☉本站提供的一些商业软件是供学习研究之用,如用于商业用途,请购买正版。
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热门软件
·qwks.cpp(MS03-049)
·ms05039.rar
·fsie.rar
·Serv-U FTP溢出漏洞利用工具
·NBSI2破解版
·MS08-067.rar
·提权大杀器(2010黑帽大会公布的
·Churrasco.zip
·tfn2k.tgz
·ms04-011.rar
·SMBdie
·KiTrap0D.zip
  相关软件
·PSOProxy-exp.c
·crafty.zip
·ex_putlvcb_aix433_limited.pl
·ethboom.zip
·ex_getlvcb_aix433_limited.pl
·vz-eSignal76.pl
·picobof.zip
·x_make_aix433_limited.pl
·557iss_pam_exp.c
·mdaemon-exploit.c
·03.28.305ether.c
·xp_wftpd.zip
 
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved