ProFTPd Local pr_ctrls_connect Vulnerability - ftpdctl vulnerability and exploit code analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201453254
Type myhack58
Reporter 佚名
Modified 2014-09-05T00:00:00


Exploit code URL:


1, Operating environment:

1, The ProFTPD 1.3.0/1.3.0 a

2, the compiled ProFTPD,--enable-ctrls option must be open

./ configure --enable-ctrls

2, The Run parameters:

root@kali:~# gcc 3 9 4. c-o 3 9 4

root@kali:~# ./ 3 9 4 –s <option> [-p <option_path>] [-o <option_offset>]

The parameter-s is the value of attack in two different ways, the values 1 and 2 can be selected. No. 1 ways to use the current environment, the first 2 ways is the use of ret-to-libc approach.

Note: return-to-libc attack, stack the return address is replaced with another instruction address, and the stack part is covered to provide its parameters. This allows attackers to call existing functions without having to inject malicious code into the program.

Parameters-o-p parameter without much sense. Merely help the using the attack code.

3, code analysis

Code execution command: root@kali:~# ./ 3 9 4 –s 1

3.1 analysis program parameters


Program No. 2 3 6, 3 9 4. c Program run-time parameters for analysis. getopt(int argc, char * const argv[ ], const char * optstring)used to parse command line parameters. The parameters argc and argv are from main()is passed the number of parameters and content. Parameter optstring is Representative for processing options string. Options string of letters followed by a colon“:”indicates that there are parameters related to the whole domain of the variable optarg will point to this additional parameter. Then the following is for the different parameters are processed, since the Final Act of the only-s a parameter, the following will focus on the analysis of the-s parameter.

getopt processing to the-s parameter, due to the optstring in the colon,“:”, optarg will point to the-s of the next parameter, which is 1 in. Then the program in 2 4 6 row is the parameter value assigned to the variable wybor, waiting for the next processing.


3.2 to determine the parameters of effectiveness

Due to the 3 9 4. c Program provides only 2 kinds of exploits, so in the Program 2 4 1 row the-s after the parameter value is defined as 1 or 2, any other values are considered illegal, and will cause the program to exit directly.


In addition, the program of another variable path for the specified vulnerability the program absolute path, the value defaults to/usr/local/bin/ftpdctl it. It is also ProFTPD Server ftpdctl call ctrls. c pr_ctrls_connect()function, and the function of a strncpy()is the vulnerability of the buffer overflow point. In the 3 9 4. c 2 6 7 row by fopen()to open the file the way to determine the path of the file is valid.


3.3 structure of the overflow data and perform the attack

The final attack of the statement is 2 9 8 rows and 3 2 4 row of execle(path,path,"-s",buf,0,sh);

int execle(const char path, const char arg, ..., char * const envp[]);

Use the execle function, you can put the current process is replaced by a new process, the path parameter indicates you want to start the program name including the path name, the arg parameter indicates to start the program with parameters, generally the first parameter to execute the command. The environment variables passed to the need to replace the process envp save environment information data

The variable buf is used to store overflow data, in addition to a lot of meaningless data, the most important thing is to have/bin/sh entry address. When the buffer overflow, the program will be guided, jump to/bin/sh, which can execute arbitrary instructions.

Constructed overflow data is mainly related to two variables: buf[2 2 9]and sh[2], since the-s parameter(1 or 2)decided to exploit the vulnerability in two different ways, the following will address these two approaches separately description:

Mode 1 is wybor=1, buf, in addition to the first two bytes of data”/A”,The remaining 2 2 7 bytes all/bin/sh entry address, as shown in Fig.


envp[]is using 0x90 as the padding character, and at the end write in advance of the constructed shellcode is. shellcode is the main role of the Executive: setuid(0) and setgid(0), the/bin/sh and exit(0). the


Mode 2 is wybor=2, due to the use of ret-to-libc manner, buf the data except the first byte is‘/’, the last 3 bytes in the order of LIBC_SYSTEM address, LIBC_NEXT__address and/BIN/SH address, the rest 2 2 of 5 bytes are padding characters 0x41.


envp[]is used‘’as a fill character and in the end writes the string”/bin/sh”in.


3, the results of the analysis

From the above analysis, it can be seen, the 3 9 4. c Program main is by directly calling the ProFTPD server command ftpdctl-s to the vulnerability implement attack. The reason why this is so, because of that, the command ftpdctl needs and the server to establish a local socket connection to the inter-process communication, the establishment of the socket connection time, the ftpdctl. c call in the ctrls. c 8 7 4-line definition of function pr_ctrls_connect(char *socket_file)。

pr_ctrls_connect(char *socket_file)main role is to, create a AF_UNIX type stream type socket, and connect to the server, for the connection of the local socket address for ctrl_sock it. And ctrl_sock is struct sockaddr_un structure, which has two parameters sun_family and sun_path is. sun_family is a Protocol family, and assign a value of AF_UNIX for local inter-process communication. sun_path is the path of the local file used in the program socket_file the sun_path assignment. Unfortunately, in the assignment, use the no check the data of the boundary of strncpy (), you can see in the Program 9 2 3 row write memory function for strncpy(ctrl_sock. sun_path,socket_file,strlen(socket_file)), it is clear this function and no data written to the boundary check, that is Can to the size as sizeof(ctrl_sock)memory area write any length of data. ctrl_sock is in the function pr_ctrls_connect()in the definition of local variables, the occurrence of a function call when the computer in the dynamic storage area to open up the size to sizeof(ctrl_sock)of the memory storage area, at the same time the dynamic storage area will also be used to save the function call time site information and function return address, which is a buffer overflow attack to create the conditions. Also as 3 9 4. c source code comments say, we can control socket_file length to make buffer overflow occurs.

Indeed, 3 9 4. c is the use of this vulnerability, the construct containing a/bin/sh returns the address of the long data in the call ftpdctrl when using the parameter-s to replace the normal socket_file paths. When the ctrls. c implementation of strncpy (), this ultra-long shellcode so that the buffer overflow, so turn to execute/bin/sh, in order to achieve the purpose of the attack