AnswerBook2 server format string exploit v1.12 Vulnerability exploited: CAN-1999-1417 - BID-5383 Category: Exploits/Remote Exploits a format string bug in Sun's AnswerBook2 Documentation Server This module exploits a format string and buffer overflow bug (in the function nsapi_log_error()) to overwrite the return address of another function (send_file()) and make it point to the stack where the agent is stored (with the same request). The attacked daemon (dwhttpd/AnswerBook2) is a multi-threaded application, hence the stack addresses are not fixed. However, the exploit tries to execute the agent at an address that retrieves using the format string bug. If this address fails, the exploit will try different values, up to 30 tries. At the same time, the format string exploit is used to calculate the number of extra padding bytes that should be used to align the code and return address. If it's not possible to guess this values using the format string, default values corresponding to default installations will be used.On servers under heavy load it is possible that the exploit will fail, if this is your situation, we recommend that you try the exploit several times, and if possible, find a time when the load on the server is not so heavy.After successful installation of the agent, the AnswerBook2 will continue running until the agent is disconnected, either manually or because of some network problem. Supported Systems: Solaris 7 (sun4m) Solaris 8 (sun4u) This module is included in the latest version of CORE IMPACT, the first automated comprehensive penetration testing product for accurately identifying information security risks. Click here to learn more about the product.