CentOS 6.5
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-3124/streamripper-1.61.25.tar.gz
tar -xvf streamripper-1.61.25.tar.gz
cd streamripper-1.61.25
./configure
make
Server:
gcc -o exploit streamripper-aug292006.c
./exploit 8000 127.0.0.1 1234 2
Client:
./istreamripper-1.61.25/streamripper http://127.0.0.1:8000
Streamripper HTTP Header Parsing Buffer Overflow Vulnerability
Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (1)
See Detail in Patch subsection
--- streamripper-1.61.25.orig/lib/http.c 2006-08-23 14:30:12.000000000 -0400
+++ streamripper-1.61.25/lib/http.c 2006-08-23 14:31:20.000000000 -0400
@@ -275,7 +275,7 @@
int rc;
char *start;
char versionbuf[64];
- char stempbr[50];
+ char stempbr[MAX_ICY_STRING];
URLINFO url_info;
int url_path_len;
int content_type_by_url;
@@ -394,7 +394,7 @@
else if ((start = (char *)strstr(header, "SHOUTcast")) != NULL) {
strcpy(info->server, "SHOUTcast/");
if ((start = (char *)strstr(start, "Server/")) != NULL) {
- sscanf(start, "Server/%[^<]<", versionbuf);
+ sscanf(start, "Server/%63[^<]<", versionbuf);
strcat(info->server, versionbuf);
}
@@ -412,7 +412,7 @@
if (!info->server[0]) {
strcpy(info->server, "icecast/");
if ((start = (char *)strstr(start, "version ")) != NULL) {
- sscanf(start, "version %[^<]<", versionbuf);
+ sscanf(start, "version %63[^<]<", versionbuf);
strcat(info->server, versionbuf);
}
}
Details are in https://144861.bugs.gentoo.org/attachment.cgi?id=94955
https://bugs.gentoo.org/144861