header-logo
Suggest Exploit
vendor:
Enlightenment
by:
spender
7.2
CVSS
HIGH
Privilege Escalation
20
CWE
Product Name: Enlightenment
Affected Version From: 0.16.8.1
Affected Version To: 0.16.999.056
Patch Exists: YES
Related CWE: CVE-2009-3093
CPE: a:enlightenment:enlightenment
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2009

Enlightenment

This exploit is a proof-of-concept for a privilege escalation vulnerability in the Enlightenment window manager. It allows a local user to gain root privileges. The vulnerability is due to a lack of proper input validation in the Enlightenment window manager. The exploit works by creating a specially crafted X11 window, which can be used to overwrite a function pointer in the Enlightenment window manager. This allows the attacker to execute arbitrary code with root privileges.

Mitigation:

The vendor has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

/* enlightenment 200909092307

   To create your own exploit module for enlightenment, just name it
   exp_whatever.c
   It will be auto-compiled by the run_exploits.sh script and thrown into
   the list of loaded exploit modules

   Each module must have the following features:
   It must include this header file, exp_framework.h
   A description of the exploit, the variable being named "desc"
   A "prepare" function: int prepare(unsigned char *ptr)
     where ptr is the ptr to the NULL mapping, which you are able to write to
     This function can return the flags described below for prepare_the_exploit
     Return 0 for failure otherwise
   A "trigger" function: int trigger(void)
     Return 0 for failure, nonzero for success
   A "post" function: int post(void)
     This function can return the flags described below for post_exploit
   A "get_exploit_state_ptr" function:
     int get_exploit_state_ptr(struct exploit_state *ptr)
     Generally this will always be implemented as:
     struct *exp_state;
     int get_exploit_state_ptr(struct exploit_state *ptr)
     {
        exp_state = ptr;
        return 0;
     }
     It gives you access to the exploit_state structure listed below,
     get_kernel_sym allows you to resolve symbols
     own_the_kernel is the function that takes control of the kernel
      (in case you need its address to set up your buffer)
     the other variables describe the exploit environment, so you can
     for instance, loop through a number of vulnerable socket domains
     until you detect ring0 execution has occurred.

   That's it!
*/

http://www.grsecurity.net/~spender/enlightenment.tgz
back: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33088-1.tgz (2009-enlightenment.tgz)

# milw0rm.com [2009-09-10]

Navigation

Suggest Exploit

Services By CQR