Ubuntu 10.04 LTS
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-1148/peercast-0.1214.tar.gz
tar -xvf peercast-0.1214.tar.gz
cd peercast-0.1214
./configure
make
sudo make install
Server:
/usr/local/bin/peercast -d
Client:
gcc -o exploit1 poc1.c
./exploit1 -s 127.0.0.1 -c 0 -t 1 -x 31337
gcc -o exploit2 poc2.c
./exploit2 127.0.0.1 7144
visit http://www.example.com/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800)
PeerCast 0.1216 - 'nextCGIarg' Remote Buffer Overflow (2)
PeerCast 0.1216 - 'nextCGIarg' Remote Buffer Overflow (1)
Peercast.org PeerCast Remote Buffer Overflow Vulnerability
After short research, high-risk vulnerability was discovered in PeerCast Streaming server. Unauthenticated remote user can send specially crafted request to the HTTP server that will cause stack overflow, what can be easily exploited for remote code execution. The problem is present in URL handling code. When user requests special URL on the server (like 'stream'), arguments are processed with procConnectArgs() function.
Vulnerable code in /code/common/servmgr.cpp
void ServMgr::procConnectArgs(char *str,ChanInfo &info)
{
char arg[512];
char curr[256];
char *args = strstr(str,"?");
if (args)
*args++=0;
info.initNameID(str);
if (args)
{
while (args=nextCGIarg(args,curr,arg))
{
...
...
...
Function procConnectArgs() will process arguments (char *str) passed to the server script. Both buffers (arg[512] and curr[256]) allocated on the stack can be overflowed inside of nextCGIarg() function in while() loop if too long string is passed after '?' character in URL.
Vulnerable code in /code/common/servhs.cpp:
char *nextCGIarg(char *cp, char *cmd, char *arg)
{
if (!*cp)
return NULL;
// fetch command
while (*cp)
{
char c = *cp++;
if (c == '=')
break;
else
*cmd++ = c;
}
*cmd = 0;
// fetch arg
while (*cp)
{
char c = *cp++;
if (c == '&')
break;
else
*arg++ = c;
}
*arg = 0;
return cp;
}