ProFTPD1.3.0/1.3.0a (mod_ctrlssupport) LocalBufferOverflowExploit vulnerability and attack code analysis (leave a pitfall for future tracking)

Source: Internet
Author: User

ProFTPD1.3.0/1.3.0a (mod_ctrlssupport) LocalBufferOverflowExploit vulnerability and attack code analysis (leave a pitfall for future tracking)

Attack code URL:

1. Running environment:
1. ProFTPD 1.3.0/1.3.0a
2. When compiling ProFTPD, The -- enable-ctrls option must be enabled.
./Configure -- enable-ctrls
3. The local user must have the permission to connect through a Unix Socket.
2. running parameters:
Revenge @ darklight ~ $./ sock 1
The first parameter is generated after the customer logs on to the ProFTPD server for local Process Communication. the absolute path of the sock file. Use find/-name proftpd. sock, find the path of the file on the local machine. Proftpd. sock is also a file used for inter-process communication on the ProFTPD server. This program injects shellcode into this file to implement a buffer overflow attack.

Run the following command:

3. Code Analysis:
3.1 construct a buffer overflow string
Use the libShellCode library to generate the shellcode. The content is roughly:
Setuid (0) setgid (0) bind (/bin/sh) on port 31337
Connect the meaningless string before shellcode, connect the target address to be returned after shellcode, and finally construct the string used for Buffer Overflow.
3.2 establish a local socket connection and send data

Line 76: Create a new connection-oriented protocol family with the descriptor SOCK as PF_UNIX socket. PF_UNIX protocol family for communication between processes on the same machine. It uses a local file (usually. sock, proftpd. sock) instead of an IP address to implement inter-process communication.
Line 77: pack the variable $ rsock ($ rsock =/usr/local/var/proftpd. sock) into the network communication address in the sockaddr structure.

Line 85: connect to the proftpd server host using the connect () function. Specify the connection to proftpd. sock.
The vulnerability exists. Because it is a validation code, no more aggressive operations were performed after the attack was implemented. According to my code for this program and ProFTPD source code ftpdctl. c (/root/proftpd-1.3.0a/src/ftpdctl. c) and ctrls. c (/root/proftpd-1.3.0a/src/ctrls. c) Understanding and speculation:
Proftpd. sock is the file for communications between two processes on the ProFTPD server. 3330. pl writes shellcode to proftpd. after sock, there will be a process through the local socket connection for data communication, and during the communication process will proftpd. the sock file content is written into the memory, and it is in this process that the buffer overflow attack is executed.
4.2 basis of speculation
Define the socket_file variable in row 116 of ftpdctl. c and assign it to proftpd. sock. Then, create a local socket connection through the pr_ctrls_connect (socket_file) function in row 187.
The pr_ctrls_connect (char * socket_file) function is in ctrls. row 874 of c is defined. Its main function is to create a stream socket of the AF_UNIX type and connect it to the server. The local socket address used for connection is ctrl_sock. Ctrl_sock is a struct sockaddr_un structure. It has two parameters: sun_family and sun_path. Sun_family is a protocol family and assigned a value of AF_UNIX for communication between local processes. Sun_path is the path of the local file. Use socket_file in the program to assign values to sun_path. Unfortunately, when values are assigned, that is, when ctrl_sock.sun_path is constructed, the contents of the socket_file file will be written together into the memory region & ctrl_sock of sizeof (ctrl_sock.
Ctrl_sock is a local variable defined in the pr_ctrls_connect () function. When a function is called, the computer will open up a memory storage area with a size of sizeof (ctrl_sock) in the dynamic storage area, at the same time, the dynamic storage area is also used to save the field information and function return address when the function is called, which creates conditions for the buffer overflow attack. We can see that the function written into the memory in line 3 of the program is strncpy (ctrl_sock.sun_path, socket_file, strlen (socket_file). Obviously, this function does not perform a boundary check on the written data, that is to say, data of any length can be written to the memory area of sizeof (ctrl_sock), so this is the buffer overflow point.
In general, 3330. pl is a counterfeit communication data. It constructs ultra-long data containing attack instructions and writes it to proftpd. sock. When the ProFTPD server process communicates through this file, it uses the strncpy () function in ctrls. c that does not perform the boundary check to write shellcode into the memory and carry out overflow attacks.
1. If 3330. pl is only responsible for writing shellcode to. sock, will it also cause buffer overflow if I write the constructed shellcode directly without using socket? What can I do if it overflows? Do you have some contact with the method of the 394. c code? Can you see the clues? If there is no overflow, it indicates it is related to the socket. check how the socket receive mechanism listens for Data Writing.
, 2, strncpy (ctrl_sock.sun_path, socket_file, strlen (socket_file) is to write the path name to sun_path rather than the. sock file content, so there is a problem with the previous understanding. As mentioned in 394. c, you can control strlen (socket_file) to copy the data used for overflow to the target array. It is related to send. Send SOCK, $ buffer, 0; indicates where the data is sent, whether it is a. sock file or something else.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.