Skip to content

Latest commit

 

History

History
 
 

CVE-2006-2971

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
1894.py
1894.py
 
 
README.md
README.md
 
 

README.md

CVE-2006-2971

Experiment Environment

Ubuntu 14.04 LTS

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-2971/0verkill-0.16.tgz

tar -xvf 0verkill-0.16.tgz
0verkill-0.16

./configure
make

Problems in Installation & Configuration

server.c:71:12: error: storage size of 'tm' isn't known

change #include<sys/time.h> to #include<time.h>

sprite.c:211:1 error: label at end of compound statement 
	skip:
	^

solution: add a ; empty statement

server.o: In function `update_game':
server.c:(.text+0x4fb2): undefined reference to `sin'

solution: add -lm link option to the end of make command of target server

xinterface.c:9:22: fatal error: X11/xpm.h: No such file or directory
	#include <X11/xpm.h>

Solution: sudo apt-get install libxpm-dev

xinterface.c:(.text+0xc): undefined reference to `XFlush'

Solution: add -lX11 link option to the end of make command of target x0verkill

xinterface.c(.text+0x328): undefined reference to `XpmCreatePixmapFromData'

Solution: add -lXpm link option to the end of make command of target x0verkill

all above problems are found in version 0.14 or before

How to trigger vulnerability

./0verkill-0.16/server
python 1894.py localhost 6666

PoCs

0verkill 0.16 - ASCII-ART Game Remote Integer Overflow Crash (PoC)

Vulnerability Details & Patch

Root Cause

net.c:94

	if (crc!=crc32(packet,retval-12))return -1; // if we send a UDP packet with length smaller than 12

crc32.c:70

	/* ========================================================================= */
	#define DO1(buf) crc = crc_table[((int)crc ^ (*buf++)) & 0xff] ^ (crc >> 8);
	#define DO2(buf)  DO1(buf); DO1(buf);
	#define DO4(buf)  DO2(buf); DO2(buf);
	#define DO8(buf)  DO4(buf); DO4(buf);
	
	/* ========================================================================= */
	unsigned long crc32(unsigned char* buf, unsigned len) // len could be smaller then 0 or in other words larger than 0 since len is declared as unsigned
	{
		unsigned long crc = 0xffffffffL;
		while (len >= 8)
		{
			DO8(buf);
			len -= 8;
		}
		if (len) do {
			DO1(buf);
		} while (--len);
		return crc ^ 0xffffffffL;
	}

Stack Trace

(gdb) info stack
#0  crc32 (buf=0x80a5000 <Address 0x80a5000 out of bounds>, len=4294685848) at crc32.c:82
#1  0x0805d08d in recv_packet (packet=0x80604a0 "", max_len=256, addr=0xbf9eabbc, addr_len=0xbf9ea978, 
    sender_server=0, recipient=0, sender=0xbf9ea974) at net.c:94
#2  0x0804d241 in read_data () at server.c:1199
#3  0x08055284 in server () at server.c:2722
#4  0x08055611 in main (argc=1, argv=0xbf9eafb4) at server.c:2780

References