|
RealOne Player不安全配置文件权限本地权限提升漏洞(2) *
* There are a number of ways to attack this, but after some poking it seems
* that modifying the path to shared libraries and writing my own malicious
* shared libraries was the easiest.
*
* (as an aside, just because the shared libraries in the directories contained
* in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get
* the symbols back. objdump quickly can tell us what the names of the 15
* functions are, and we can stub out a bogus shared library pretty quickly.)
*
* This particular bit of code is meant to replace the shared library
* cook.so.6.0, which is contained in the Codecs directory. To execute this
* attack against a fellow local user, first edit their config file
* (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable
* point to a directory under your control, like /tmp/Codecs. Copy all of the
* existing files from the previous value of dt_codecs (which is usually something
* like ~victim/Real/Codecs/) to /tmp/Codecs. Next, compile the code below as a
* shared library and copy it to the trojaned directory:
*
*
* `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`
*
* The next time the victim fires up realplayer 9, a nice little shell
* will be listening on port 12345 for you:
*
* guest@haiti:/$ id
* uid=1006(guest) gid=100(users) groups=100(users)
* guest@haiti:/$ nc localhost 12345
* id
* uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)
*
* Of course, you don't have to execute a shell. Do whatever makes you happy.
*
* Fix? `chmod 700 ~/.realnetworks/*`
*
* Copyright (c) 2003, Jon Hart
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
|
