[转载]htget Remotely Exploitable Buffer Overflow (ReadLine)

信息来源：www.securiteam.com

Summary
"infamous41md" discovered a buffer overflow in htget, a file grabber that will get files from HTTP servers. It is possible to overflow a buffer and execute arbitrary code by accessing a malicious URL. The following exploit code can be used to test your htget for the mentioned vulnerability.

Credit:
The information has been provided by infamous41md.

Details
Vulnerable code:
The following code is vulnerable to a buffer overflow:
rc = read ( Socket , & ch , 1 ) ;
while ( rc == 1 )
{
ReceiveBuffer [ I ] = ch ;
I ++ ;
if ( ch == '\n' )
{
break ;
}
if ( I > ( BIG_BUFFER_SIZE - 4 ))
{
break ;
}
rc = read ( Socket , & ch , 1 ) ;
}

Specifically, the if ( I > ( BIG_BUFFER_SIZE - 4 )) check, doesn't take into account the size of the buffer we store the information to, which in some cases is set to MAXLENGTH (256) and not to BIG_BUFFER_SIZE (4096).

CVE Information:
CAN-2004-0852

Exploit:
http://www.eviloctal.com/forum/read.php?tid=6671